https://release-1-16-0--kyverno.netlify.app/policies/Recent content in Policies on KyvernoHugoenhttps://release-1-16-0--kyverno.netlify.app/policies/psp-migration/add-apparmor/add-apparmor/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psp-migration/add-apparmor/add-apparmor/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psp-migration/add-apparmor/add-apparmor.yaml" target="-blank">/psp-migration/add-apparmor/add-apparmor.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-apparmor-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add AppArmor Annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">PSP Migration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> In the earlier Pod Security Policy controller, it was possible to define </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> a setting which would enable AppArmor for all the containers within a Pod so </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> they may be assigned the desired profile. Assigning an AppArmor profile, accomplished </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> via an annotation, is useful in that it allows secure defaults to be defined and may </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> also result in passing other validation rules such as those in the Pod Security Standards. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> This policy mutates Pods to add an annotation for every container to enabled AppArmor </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> at the runtime/default level.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">apparmor-runtime-default</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.[ephemeralContainers, initContainers, containers][]</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="l">container.apparmor.security.beta.kubernetes.io/{{element.name}}: runtime/default</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psp-migration/add-capabilities/add-capabilities/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psp-migration/add-capabilities/add-capabilities/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psp-migration/add-capabilities/add-capabilities.yaml" target="-blank">/psp-migration/add-capabilities/add-capabilities.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">PSP Migration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> In the earlier Pod Security Policy controller, it was possible to configure a policy </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> to add capabilities to containers within a Pod. This made it easier to assign some basic defaults </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> rather than blocking Pods or to simply provide capabilities for certain workloads if not specified. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy mutates Pods to add the capabilities SETFCAP and SETUID so long as they are not listed </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> as dropped capabilities first.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-setfcap-setuid</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.[ephemeralContainers, initContainers, containers][]</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">SETFCAP</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.securityContext.capabilities.drop[] || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> - path: /spec/containers/{{elementIndex}}/securityContext/capabilities/add/- </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> op: add </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> value: SETFCAP</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.[ephemeralContainers, initContainers, containers][]</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">SETUID</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.securityContext.capabilities.drop[] || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="sd"> - path: /spec/containers/{{elementIndex}}/securityContext/capabilities/add/- </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="sd"> op: add </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="sd"> value: SETUID</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/castai/add-castai-removal-disabled/add-castai-removal-disabled/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/castai/add-castai-removal-disabled/add-castai-removal-disabled/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//castai/add-castai-removal-disabled/add-castai-removal-disabled.yaml" target="-blank">/castai/add-castai-removal-disabled/add-castai-removal-disabled.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-castai-removal-disabled</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add CAST AI Removal Disabled</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">CAST AI</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Job, CronJob&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.9&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.25&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="l">CAST AI will not downscale a node that includes a pod with the </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="l">autoscaling.cast.ai/removal-disabled=&#34;true&#34; label on it, this protects</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="l">sensitive workloads from being evicted and can be attributed to any pod to</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="l">protect against unwanted downscaling. This policy will mutate jobs and </span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="l">cronjobs to add the removal-disabled label to protect against eviction. </span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">do-not-evict-jobs</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">autoscaling.cast.ai/removal-disabled</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">do-not-evict-cronjobs</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="l">CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">jobTemplate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">autoscaling.cast.ai/removal-disabled</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-certificates-volume/add-certificates-volume/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-certificates-volume/add-certificates-volume/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-certificates-volume/add-certificates-volume.yaml" target="-blank">/other/add-certificates-volume/add-certificates-volume.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-certificates-volume</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Certificates as a Volume</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,Volume</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.21&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.5.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">DaemonSet,Deployment,Job,StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In some cases you would need to trust custom CA certificates for all the containers of a Pod. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> It makes sense to be in a ConfigMap so that you can automount them by only setting an annotation. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy adds a volume to all containers in a Pod containing the certificate if the annotation </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> called `inject-certs` with value `enabled` is found.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-ssl-certs</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{request.object.metadata.annotations.&#34;inject-certs&#34; || &#34;&#34;}}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">enabled</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">volumeMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">etc-ssl-certs</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l">/etc/ssl/certs</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">etc-ssl-certs</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">configMap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ca-pemstore</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-default-resources/add-default-resources/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-default-resources/add-default-resources/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-default-resources/add-default-resources.yaml" target="-blank">/other/add-default-resources/add-default-resources.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion </span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-default-resources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Default Resources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span>-<span class="l">alpha.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pods which don&#39;t specify at least resource requests are assigned a QoS class </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> of BestEffort which can hog resources for other Pods on Nodes. At a minimum, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> all Pods should specify resource requests in order to be labeled as the QoS </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> class Burstable. This sample mutates any container in a Pod which doesn&#39;t </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> specify memory or cpu requests to apply some sane defaults.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-default-requests</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.[ephemeralContainers, initContainers, containers][]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">+(memory)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;100Mi&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">+(cpu)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;100m&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-default-securitycontext/add-default-securitycontext/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-default-securitycontext/add-default-securitycontext/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-default-securitycontext/add-default-securitycontext.yaml" target="-blank">/other/add-default-securitycontext/add-default-securitycontext.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-default-securitycontext</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Default securityContext</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> A Pod securityContext entry defines fields such as the user and group which should be used to run the Pod. </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Sometimes choosing default values for users rather than blocking is a better alternative to not impede </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> such Pod definitions. This policy will mutate a Pod to set `runAsNonRoot`, `runAsUser`, `runAsGroup`, and </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> `fsGroup` fields within the Pod securityContext if they are not already set.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-default-securitycontext</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">+(runAsNonRoot)</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">+(runAsUser)</span><span class="p">:</span><span class="w"> </span><span class="m">1000</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">+(runAsGroup)</span><span class="p">:</span><span class="w"> </span><span class="m">3000</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">+(fsGroup)</span><span class="p">:</span><span class="w"> </span><span class="m">2000</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-emptydir-sizelimit/add-emptydir-sizelimit/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-emptydir-sizelimit/add-emptydir-sizelimit/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-emptydir-sizelimit/add-emptydir-sizelimit.yaml" target="-blank">/other/add-emptydir-sizelimit/add-emptydir-sizelimit.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-emptydir-sizelimit</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add emptyDir sizeLimit</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.3</span><span class="p">,</span><span class="m">1.8.0</span>-<span class="l">rc2</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> When a Pod requests an emptyDir, by default it does not have a size limit which </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> may allow it to consume excess or all of the space in the medium backing the volume. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This can quickly overrun a Node and may result in a denial of service for other </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> workloads. This policy adds a sizeLimit field to all Pods mounting emptyDir </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> volumes, if not present, and sets it to 100Mi.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mutate-emptydir</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.volumes[]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.keys(@)}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">emptyDir</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.emptyDir.sizeLimit || &#39;&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> - path: &#34;/spec/volumes/{{elementIndex}}/emptyDir/sizeLimit&#34; </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> op: add </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> value: 100Mi</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-env-vars-from-cm/add-env-vars-from-cm/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-env-vars-from-cm/add-env-vars-from-cm/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-env-vars-from-cm/add-env-vars-from-cm.yaml" target="-blank">/other/add-env-vars-from-cm/add-env-vars-from-cm.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-env-vars-from-cm</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Environment Variables from ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Instead of defining a common set of environment variables multiple </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> times either in manifests or separate policies, Pods can reference </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> entire collections stored in a ConfigMap. This policy mutates all </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> initContainers (if present) and containers in a Pod with environment </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> variables defined in a ConfigMap named `nsenvvars` that must exist </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> in the destination Namespace. </span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-env-vars-from-cm</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">initContainers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">envFrom</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">configMapRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">nsenvvars</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">envFrom</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">configMapRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">nsenvvars</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-image-as-env-var/add-image-as-env-var/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-image-as-env-var/add-image-as-env-var/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-image-as-env-var/add-image-as-env-var.yaml" target="-blank">/other/add-image-as-env-var/add-image-as-env-var.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-image-as-env-var</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Image as Environment Variable</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span>-<span class="l">alpha.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The Kubernetes downward API only has the ability to express so many </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> options as environment variables. The image consumed in a Pod is commonly </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> needed to make the application aware of some logic it must take. This policy </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> takes the value of the `image` field and adds it as an environment variable </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> to Pods.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pod-containers-inject-image</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.containers[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> - op: add </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> path: /spec/containers/{{elementIndex}}/env/- </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> value: </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> name: K8S_IMAGE </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> value: &#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-imagepullsecrets/add-imagepullsecrets/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-imagepullsecrets/add-imagepullsecrets/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-imagepullsecrets/add-imagepullsecrets.yaml" target="-blank">/other/add-imagepullsecrets/add-imagepullsecrets.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-imagepullsecrets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add imagePullSecrets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Images coming from certain registries require authentication in order to pull them, </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> and the kubelet uses this information in the form of an imagePullSecret to pull </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> those images on behalf of your Pod. This policy searches for images coming from a </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> registry called `corp.reg.com` and, if found, will mutate the Pod to add an </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> imagePullSecret called `my-secret`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-imagepullsecret</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">&lt;(image)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;corp.reg.com/*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">imagePullSecrets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-secret</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-imagepullsecrets-for-containers-and-initcontainers/add-imagepullsecrets-for-containers-and-initcontainers/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-imagepullsecrets-for-containers-and-initcontainers/add-imagepullsecrets-for-containers-and-initcontainers/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-imagepullsecrets-for-containers-and-initcontainers/add-imagepullsecrets-for-containers-and-initcontainers.yaml" target="-blank">/other/add-imagepullsecrets-for-containers-and-initcontainers/add-imagepullsecrets-for-containers-and-initcontainers.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-imagepullsecrets-for-containers-and-initcontainers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add imagePullSecrets for Containers and InitContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Images coming from certain registries require authentication in order to pull them, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> and the kubelet uses this information in the form of an imagePullSecret to pull </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> those images on behalf of your Pod. This policy searches for images coming from a </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> registry called `corp.reg.com` referenced by either one of the containers or one </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> of the init containers and, if found, will mutate the Pod to add an </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> imagePullSecret called `my-secret`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-imagepullsecret</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;corp.reg.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ images.initContainers.*.registry || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;corp.reg.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ images.containers.*.registry }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">imagePullSecrets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-secret</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio/add-ambient-mode-namespace/add-ambient-mode-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio/add-ambient-mode-namespace/add-ambient-mode-namespace/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml" target="-blank">/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-ambient-mode-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Istio Ambient Mode</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> must be set to `ambient`. As an alternative to rejecting Namespace definitions which don&#39;t already </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode` </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> set to `ambient` for all new Namespaces.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-ambient-mode-enabled</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">istio-system </span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">istio.io/dataplane-mode</span><span class="p">:</span><span class="w"> </span><span class="l">ambient</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio/add-sidecar-injection-namespace/add-sidecar-injection-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio/add-sidecar-injection-namespace/add-sidecar-injection-namespace/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio/add-sidecar-injection-namespace/add-sidecar-injection-namespace.yaml" target="-blank">/istio/add-sidecar-injection-namespace/add-sidecar-injection-namespace.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-sidecar-injection-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Istio Sidecar Injection</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In order for Istio to inject sidecars to workloads deployed into Namespaces, the label </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> `istio-injection` must be set to `enabled`. As an alternative to rejecting Namespace definitions </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> which don&#39;t already contain this label, it can be added automatically. This policy adds the label </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> `istio-inject` set to `enabled` for all new Namespaces.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-istio-injection-enabled</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">istio-injection</span><span class="p">:</span><span class="w"> </span><span class="l">enabled</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/karpenter/add-karpenter-donot-evict/add-karpenter-donot-evict/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/karpenter/add-karpenter-donot-evict/add-karpenter-donot-evict/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//karpenter/add-karpenter-donot-evict/add-karpenter-donot-evict.yaml" target="-blank">/karpenter/add-karpenter-donot-evict/add-karpenter-donot-evict.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-karpenter-donot-evict</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Karpenter Do Not Evict</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Karpenter, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">If a Pod exists with the annotation `karpenter.sh/do-not-evict</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="l">` on a Node,</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="l">and a request is made to delete the Node, Karpenter will not drain any Pods from</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="l">that Node or otherwise try to delete the Node. This is useful for Pods that should</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="l">run uninterrupted to completion. This policy mutates Jobs and CronJobs</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">so that Pods spawned by them will contain the `karpenter.sh/do-not-evict</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="l">` annotation.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">do-not-evict-jobs</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">karpenter.sh/do-not-evict</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">do-not-evict-cronjobs</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="l">CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">jobTemplate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">karpenter.sh/do-not-evict</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/karpenter/add-karpenter-nodeselector/add-karpenter-nodeselector/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/karpenter/add-karpenter-nodeselector/add-karpenter-nodeselector/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//karpenter/add-karpenter-nodeselector/add-karpenter-nodeselector.yaml" target="-blank">/karpenter/add-karpenter-nodeselector/add-karpenter-nodeselector.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-karpenter-nodeselector</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Karpenter nodeSelector</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Karpenter, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="l">Selecting the correct Node(s) provisioned by Karpenter is a way to specify</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="l">the appropriate resource landing zone for a workload. This policy injects a</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="l">nodeSelector map into the Pod based on the Namespace type where it is deployed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">namespaceSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">medium </span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">nodeSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">kubernetes.io/arch</span><span class="p">:</span><span class="w"> </span><span class="l">amd64</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">karpenter.sh/capacity-type</span><span class="p">:</span><span class="w"> </span><span class="l">spot</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-large</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">namespaceSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">large</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">nodeSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">kubernetes.io/arch</span><span class="p">:</span><span class="w"> </span><span class="l">amd64</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">karpenter.sh/capacity-type</span><span class="p">:</span><span class="w"> </span><span class="kc">on</span>-<span class="l">demand</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-labels/add-labels/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-labels/add-labels/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-labels/add-labels.yaml" target="-blank">/other/add-labels/add-labels.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Label</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Labels are used as an important source of metadata describing objects in various ways </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> or triggering other functionality. Labels are also a very basic concept and should be </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> used throughout Kubernetes. This policy performs a simple mutation which adds a label </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> `foo=bar` to Pods, Services, ConfigMaps, and Secrets.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">foo</span><span class="p">:</span><span class="w"> </span><span class="l">bar</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/linkerd/add-linkerd-mesh-injection/add-linkerd-mesh-injection/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/linkerd/add-linkerd-mesh-injection/add-linkerd-mesh-injection/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//linkerd/add-linkerd-mesh-injection/add-linkerd-mesh-injection.yaml" target="-blank">/linkerd/add-linkerd-mesh-injection/add-linkerd-mesh-injection.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-linkerd-mesh-injection</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Linkerd Mesh Injection</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Linkerd</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace, Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Sidecar proxy injection in Linkerd may be handled at the Namespace level by </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> setting the annotation `linkerd.io/inject` to `enabled`. In addition, a second </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> annotation may be applied which controls the Pod startup behavior. This policy </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> sets the annotations, if not present, `linkerd.io/inject` and `config.linkerd.io/proxy-await` </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to `enabled` on all new Namespaces.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-mesh-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">+(linkerd.io/inject)</span><span class="p">:</span><span class="w"> </span><span class="l">enabled</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">+(config.linkerd.io/proxy-await)</span><span class="p">:</span><span class="w"> </span><span class="l">enabled</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/linkerd/add-linkerd-policy-annotation/add-linkerd-policy-annotation/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/linkerd/add-linkerd-policy-annotation/add-linkerd-policy-annotation/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//linkerd/add-linkerd-policy-annotation/add-linkerd-policy-annotation.yaml" target="-blank">/linkerd/add-linkerd-policy-annotation/add-linkerd-policy-annotation.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-linkerd-policy-annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Linkerd Policy Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Linkerd</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace,Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Linkerd will, by default, allow all incoming traffic to Pods in the mesh </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> including that from outside the cluster network. In many cases, this default </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> needs to be changed to deny all traffic so it may be selectively </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> opened using Linkerd policy objects. This policy sets the annotation </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> `config.linkerd.io/default-inbound-policy` to `deny`, if not present, for new Namespaces. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> It can be customized with exclusions to more tightly control its application.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-inbound-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">+(config.linkerd.io/default-inbound-policy)</span><span class="p">:</span><span class="w"> </span><span class="l">deny</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-ndots/add-ndots/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-ndots/add-ndots/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-ndots/add-ndots.yaml" target="-blank">/other/add-ndots/add-ndots.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-ndots</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add ndots</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> The ndots value controls where DNS lookups are first performed in a cluster </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> and needs to be set to a lower value than the default of 5 in some cases. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy mutates all Pods to add the ndots option with a value of 1.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-ndots</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">dnsConfig</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">options</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ndots</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/add-network-policy/add-network-policy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/add-network-policy/add-network-policy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/add-network-policy/add-network-policy.yaml" target="-blank">/best-practices/add-network-policy/add-network-policy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-networkpolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Network Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Multi-Tenancy, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> By default, Kubernetes allows communications across all Pods within a cluster. </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> communications. A default NetworkPolicy should be configured for each Namespace to </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> default deny all ingress and egress traffic to the Pods in the Namespace. Application </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> teams can then configure additional NetworkPolicy resources to allow desired traffic </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> to application Pods from select sources. This policy will create a new NetworkPolicy resource </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> named `default-deny` which will deny all traffic anytime a new Namespace is created.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-deny</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-deny</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="c"># select all pods in the namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="c"># deny all traffic</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="l">Egress</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/add-networkpolicy-dns/add-networkpolicy-dns/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/add-networkpolicy-dns/add-networkpolicy-dns/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/add-networkpolicy-dns/add-networkpolicy-dns.yaml" target="-blank">/best-practices/add-networkpolicy-dns/add-networkpolicy-dns.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-networkpolicy-dns</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Network Policy for DNS</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Multi-Tenancy, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> By default, Kubernetes allows communication across all Pods within a cluster. The NetworkPolicy </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communication. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> A default NetworkPolicy should be configured for each Namespace to deny all egress traffic </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> from the Pods while still allowing DNS resolution. Application teams can then configure additional </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> NetworkPolicy resources to allow desired traffic to application Pods from select sources. This </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> policy will create a new NetworkPolicy resource named `allow-dns` when a new Namespace is created, </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> which will deny all egress traffic while still allowing DNS queries to the kube-system Namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-netpol-dns</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allow-dns</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="l">Egress</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">egress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">to</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">namespaceSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">UDP</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">53</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-node-affinity/add-node-affinity/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-node-affinity/add-node-affinity/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-node-affinity/add-node-affinity.yaml" target="-blank">/other/add-node-affinity/add-node-affinity.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-node-affinity</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Node Affinity</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.21&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Node affinity, similar to node selection, is a way to specify which node(s) on which Pods will be scheduled </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> but based on more complex conditions. This policy will add node affinity to a Deployment and if one already </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> exists an expression will be added to it.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-node-affinity-deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="sd"> - path: &#34;/spec/template/spec/affinity/nodeAffinity/requiredDuringSchedulingIgnoredDuringExecution/nodeSelectorTerms/-1/matchExpressions/-1&#34; </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="sd"> op: add </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> value: </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> key: zone_weight </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> operator: Lt </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> values: </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> - &#34;400&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-nodeselector/add-nodeselector/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-nodeselector/add-nodeselector/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-nodeSelector/add-nodeSelector.yaml" target="-blank">/other/add-nodeSelector/add-nodeSelector.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-nodeselector</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add nodeSelector</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> The nodeSelector field uses labels to select the node on which a Pod can be scheduled. </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> This can be useful when Pods have specific needs that only certain nodes in a cluster can provide. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy adds the nodeSelector field to a Pod spec and configures it with labels `foo` and `color`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-nodeselector</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="c"># Adds the `nodeSelector` field to any Pod with two labels.</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">nodeSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">foo</span><span class="p">:</span><span class="w"> </span><span class="l">bar</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">color</span><span class="p">:</span><span class="w"> </span><span class="l">orange</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/create-pod-antiaffinity/create-pod-antiaffinity/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/create-pod-antiaffinity/create-pod-antiaffinity/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/create-pod-antiaffinity/create-pod-antiaffinity.yaml" target="-blank">/other/create-pod-antiaffinity/create-pod-antiaffinity.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">insert-pod-antiaffinity</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Pod Anti-Affinity</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Applications may involve multiple replicas of the same Pod for availability as well as scale </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> purposes, yet Kubernetes does not by default provide a solution for availability. This policy </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> sets a Pod anti-affinity configuration on Deployments which contain an `app` label if it is </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> not already present.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">insert-pod-antiaffinity</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="c"># This precondition selects Pods with the label `app` defined</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.template.metadata.labels.app || &#39;&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="c"># Mutates the Deployment resource to add fields.</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="c"># Add the `affinity`if not already specified.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">+(affinity)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">+(podAntiAffinity)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">+(preferredDuringSchedulingIgnoredDuringExecution)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">weight</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">podAffinityTerm</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">topologyKey</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;kubernetes.io/hostname&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">labelSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">matchExpressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">app</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">In</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{request.object.spec.template.metadata.labels.app}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/create-default-pdb/create-default-pdb/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/create-default-pdb/create-default-pdb/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/create-default-pdb/create-default-pdb.yaml" target="-blank">/other/create-default-pdb/create-default-pdb.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">create-default-pdb</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Pod Disruption Budget</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> A PodDisruptionBudget limits the number of Pods of a replicated application that </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> are down simultaneously from voluntary disruptions. For example, a quorum-based </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> application would like to ensure that the number of replicas running is never brought </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> below the number needed for a quorum. As an application owner, you can create a PodDisruptionBudget (PDB) </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> for each application. This policy will create a PDB resource whenever a new Deployment is created.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">create-default-pdb</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policy/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}-default-pdb&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">minAvailable</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.selector}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-pod-priorityclassname/add-pod-priorityclassname/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-pod-priorityclassname/add-pod-priorityclassname/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-pod-priorityclassname/add-pod-priorityclassname.yaml" target="-blank">/other/add-pod-priorityclassname/add-pod-priorityclassname.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-pod-priorityclassname</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Pod priorityClassName</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="l">A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="l">This policy adds the priorityClassName of `non-production` to any Pod controller deployed</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="l">into a Namespace that does not have the label env=production.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-priorityclass-controllers</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">namespaceSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">matchExpressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">env</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> - op: remove </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> path: &#39;/spec/template/spec/priority&#39; </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> - op: add </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> path: /spec/template/spec/priorityClassName </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> value: &#39;non-production&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-priorityclass-cronjobs</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="l">CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">namespaceSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">matchExpressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">env</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="sd"> - op: remove </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="sd"> path: &#39;/spec/jobTemplate/spec/template/spec/priority&#39; </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="sd"> - op: add </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="sd"> path: /spec/jobTemplate/spec/template/spec/priorityClassName </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="sd"> value: &#39;non-production&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-pod-proxies/add-pod-proxies/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-pod-proxies/add-pod-proxies/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-pod-proxies/add-pod-proxies.yaml" target="-blank">/other/add-pod-proxies/add-pod-proxies.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-pod-proxies</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Pod Proxies</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> In restricted environments, Pods may not be allowed to egress directly to all destinations </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> and some overrides to specific addresses may need to go through a corporate proxy. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy adds proxy information to Pods in the form of environment variables. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> It will add the `env` array if not present. If any Pods have any of these </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> env vars, they will be overwritten with the value(s) in this policy.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-pod-proxies</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">HTTP_PROXY</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">http://proxy.corp.domain:8080</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">HTTPS_PROXY</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">https://secureproxy.corp.domain:8080</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">NO_PROXY</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">localhost,*.example.com</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/external-secret-operator/add-external-secret-prefix/add-external-secret-prefix/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/external-secret-operator/add-external-secret-prefix/add-external-secret-prefix/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//external-secret-operator/add-external-secret-prefix/add-external-secret-prefix.yaml" target="-blank">/external-secret-operator/add-external-secret-prefix/add-external-secret-prefix.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-external-secret-prefix</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add prefix to external secret</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalSecretOperator</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalSecret</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="l">This Policy mutates secretRef key to add a prefix.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="l">External Secret Operator proposes to use kyverno to force ExternalSecrets</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="l">to have namespace prefix so that kubernetes administrators do not need to</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="l">define permissions and users per namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="l">Doing this developers are abstracted by administrators naming convention and will not </span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="l">be able to access secrets from other namespaces.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="l">In this example, in the JSON patch change &#34;prefix-&#34; to your preferred prefix. For example: {{ request.namespace }}</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-external-secret-prefix</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">external-secrets.io/v1beta1/ExternalSecret</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.data&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> - path: /spec/data/{{elementIndex}}/remoteRef </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> op: add </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> value: </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> key: &#34;prefix-{{element.remoteRef.key}}&#34; </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> property: &#34;{{element.remoteRef.property}}&#34; </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> conversionStrategy: &#34;{{element.remoteRef.conversionStrategy}}&#34; </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> decodingStrategy: &#34;{{element.remoteRef.decodingStrategy}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/karpenter/add-karpenter-daemonset-priority-class/add-karpenter-daemonset-priority-class/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/karpenter/add-karpenter-daemonset-priority-class/add-karpenter-daemonset-priority-class/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//karpenter/add-karpenter-daemonset-priority-class/add-karpenter-daemonset-priority-class.yaml" target="-blank">/karpenter/add-karpenter-daemonset-priority-class/add-karpenter-daemonset-priority-class.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-karpenter-daemonset-priority-class</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add priority class for DaemonSets to help Karpenter.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Karpenter</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.3</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> When a DaemonSet is added to a cluster every node will get a new pod. There may not be </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> enough room for this on every node. Karpenter cannot provision extra nodes just for the </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> DaemonSet because the new pods are not scheduled the way regular pods are. It would require </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> parallel scheduling logic that is not proper to Kubernetes. Therefore, eviction of regular </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> pods should happen instead. This can be achieved with the priority class system-node-critical.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-karpenter-daemonset-priority-class</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">priorityClassName</span><span class="p">:</span><span class="w"> </span><span class="l">system-node-critical</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psa/add-privileged-existing-namespaces/add-privileged-existing-namespaces/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psa/add-privileged-existing-namespaces/add-privileged-existing-namespaces/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psa/add-privileged-existing-namespaces/add-privileged-existing-namespaces.yaml" target="-blank">/psa/add-privileged-existing-namespaces/add-privileged-existing-namespaces.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-privileged-existing-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Privileged Label to Existing Namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Admission</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> When Pod Security Admission is configured with a cluster-wide AdmissionConfiguration file </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> which sets either baseline or restricted, for example in many PaaS CIS profiles, it may </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> be necessary to relax this to privileged on a per-Namespace basis so that more </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> granular control can be provided. This policy labels new and existing Namespaces, except </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> that of kube-system, with the `pod-security.kubernetes.io/enforce: privileged` label.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">mutateExistingOnPolicyUpdate</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">label-privileged-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">&lt;(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!kube-system&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/enforce</span><span class="p">:</span><span class="w"> </span><span class="l">privileged</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psa/add-psa-labels/add-psa-labels/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psa/add-psa-labels/add-psa-labels/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psa/add-psa-labels/add-psa-labels.yaml" target="-blank">/psa/add-psa-labels/add-psa-labels.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-psa-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add PSA Labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Admission, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pod Security Admission (PSA) can be controlled via the assignment of labels </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> at the Namespace level which define the Pod Security Standard (PSS) profile </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> in use and the action to take. If not using a cluster-wide configuration </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> via an AdmissionConfiguration file, Namespaces must be explicitly labeled. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> This policy assigns the labels `pod-security.kubernetes.io/enforce=baseline` </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> and `pod-security.kubernetes.io/warn=restricted` to all new Namespaces if </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> those labels are not included.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-baseline-enforce-restricted-warn</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">+(pod-security.kubernetes.io/enforce)</span><span class="p">:</span><span class="w"> </span><span class="l">baseline</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">+(pod-security.kubernetes.io/warn)</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psa/add-psa-namespace-reporting/add-psa-namespace-reporting/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psa/add-psa-namespace-reporting/add-psa-namespace-reporting/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml" target="-blank">/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-psa-namespace-reporting</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add PSA Namespace Reporting</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Admission, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy is valuable as it ensures that all namespaces within a Kubernetes </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> cluster are labeled with Pod Security Admission (PSA) labels, which are crucial </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> for defining security levels and ensuring that pods within a namespace operate </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> under the defined Pod Security Standard (PSS). By enforcing namespace labeling, </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> This policy audits namespaces to verify the presence of PSA labels. </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> If a namespace is found without the required labels, it generates and maintain </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> and ClusterPolicy Report in default namespace. </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> This helps administrators identify namespaces that do not comply with the </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> organization&#39;s security practices and take appropriate action to rectify the </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="sd"> situation.</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-namespace-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">This Namespace is missing a PSA label.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/*</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml" target="-blank">/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-psa-namespace-reporting</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add PSA Namespace Reporting in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Admission, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy is valuable as it ensures that all namespaces within a Kubernetes </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> cluster are labeled with Pod Security Admission (PSA) labels, which are crucial </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> for defining security levels and ensuring that pods within a namespace operate </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> under the defined Pod Security Standard (PSS). By enforcing namespace labeling, </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> This policy audits namespaces to verify the presence of PSA labels. </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> If a namespace is found without the required labels, it generates and maintain </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> and ClusterPolicy Report in default namespace. </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> This helps administrators identify namespaces that do not comply with the </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> organization&#39;s security practices and take appropriate action to rectify the </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="sd"> situation.</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-namespace-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.metadata.?labels.orValue([]).exists(label, label.startsWith(&#39;pod-security.kubernetes.io/&#39;) &amp;&amp; object.metadata.labels[label] != &#39;&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">This Namespace is missing a PSA label.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/add-ns-quota/add-ns-quota/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/add-ns-quota/add-ns-quota/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/add-ns-quota/add-ns-quota.yaml" target="-blank">/best-practices/add-ns-quota/add-ns-quota.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-ns-quota</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Quota</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Multi-Tenancy, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ResourceQuota, LimitRange</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> To better control the number of resources that can be created in a given </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Namespace and provide default resource consumption limits for Pods, </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> ResourceQuota and LimitRange resources are recommended. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy will generate ResourceQuota and LimitRange resources when </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> a new Namespace is created.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">generate-resourcequota</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ResourceQuota</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-resourcequota</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">hard</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">requests.cpu</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;4&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">requests.memory</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;16Gi&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">limits.cpu</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;4&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">limits.memory</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;16Gi&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">generate-limitrange</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">LimitRange</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-limitrange</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="nt">default</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l">500m</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l">1Gi</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">defaultRequest</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l">200m</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l">256Mi</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Container</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/add-rolebinding/add-rolebinding/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/add-rolebinding/add-rolebinding/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/add-rolebinding/add-rolebinding.yaml" target="-blank">/best-practices/add-rolebinding/add-rolebinding.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-rolebinding</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Multi-Tenancy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Typically in multi-tenancy and other use cases, when a new Namespace is created, </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> users and other principals must be given some permissions to create and interact </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> with resources in the Namespace. Very commonly, Roles and RoleBindings are used to </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> grant permissions at the Namespace level. This policy generates a RoleBinding </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> called `&lt;userName&gt;-admin-binding` in the new Namespace which binds to the ClusterRole </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> `admin` as long as a `cluster-admin` did not create the Namespace. Additionally, an annotation </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> named `kyverno.io/user` is added to the RoleBinding recording the name of the user responsible </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> for the Namespace&#39;s creation.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">generate-admin-binding</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">clusterRoles</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">cluster-admin</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.userInfo.username}}-admin-binding&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/user</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.userInfo.username}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">roleRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">apiGroup</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">admin</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">User</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.userInfo.username}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psp-migration/add-runtimeclassname/add-runtimeclassname/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psp-migration/add-runtimeclassname/add-runtimeclassname/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psp-migration/add-runtimeClassName/add-runtimeClassName.yaml" target="-blank">/psp-migration/add-runtimeClassName/add-runtimeClassName.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-runtimeclassname</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add runtimeClassName</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">PSP Migration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> In the earlier Pod Security Policy controller, it was possible to configure a policy to add </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> a Pod&#39;s runtimeClassName. This was beneficial in that various container runtimes could be </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> specified according to a policy. This Kyverno policies mutates Pods to add a runtimeClassName </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> of `prodclass`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-prodclass</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">runtimeClassName</span><span class="p">:</span><span class="w"> </span><span class="l">prodclass</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/add-safe-to-evict/add-safe-to-evict/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/add-safe-to-evict/add-safe-to-evict/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/add-safe-to-evict/add-safe-to-evict.yaml" target="-blank">/best-practices/add-safe-to-evict/add-safe-to-evict.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-safe-to-evict</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Safe To Evict</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> The Kubernetes cluster autoscaler does not evict pods that </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods. </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">annotate-empty-dir</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">+(cluster-autoscaler.kubernetes.io/safe-to-evict)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">&lt;(emptyDir)</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">annotate-host-path</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">+(cluster-autoscaler.kubernetes.io/safe-to-evict)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">hostPath</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">&lt;(path)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-node-labels-pod/add-node-labels-pod/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-node-labels-pod/add-node-labels-pod/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-node-labels-pod/add-node-labels-pod.yaml" target="-blank">/other/add-node-labels-pod/add-node-labels-pod.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-node-labels-pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add scheduled Node&#39;s labels to a Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Containers running in Pods may sometimes need access to node-specific information on </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> which the Pod has been scheduled. A common use case is node topology labels to ensure </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> pods are spread across failure zones in racks or in the cloud. The mutate-pod-binding </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> policy already does this for annotations, but it does not handle labels. A useful use </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> case is for passing metric label information to ServiceMonitors and then into Prometheus. </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> This policy watches for Pod binding events when the pod is scheduled and then </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> asynchronously mutates the existing Pod to add the labels. </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> This policy requires the following changes to common default configurations: </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> - The kyverno resourceFilter should not filter Pod/binding resources. </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="sd"> - The kyverno backgroundController service account requires Update permission on pods. </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="sd"> It is recommended to use https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles </span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">project-foo</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">Pod/binding</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">node</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.target.name</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">foolabel</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/nodes/{{node}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;metadata.labels.foo || &#39;empty&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.namespace }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">foo</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ foolabel }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kubevirt/add-services/add-services/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kubevirt/add-services/add-services/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kubevirt/add-services/add-services.yaml" target="-blank">/kubevirt/add-services/add-services.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k6t-add-services</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Services</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">KubeVirt</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">VirtualMachineInstance</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="sd"> Add an SSH Service to every VirtualMachineInstance which is getting created. </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> This Service will use a ClusterIP, thus the admin has to ensure that the IP </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> space is large enough and ClusterIP type can be met.</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.8.0-rc2&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24-1.25&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k6t-add-service-ssh</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">VirtualMachineInstance</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">ownerReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kubevirt.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">VirtualMachineInstance</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">uid</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.uid}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">22</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">kubevirt.io/domain</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterIP</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-tolerations/add-tolerations/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-tolerations/add-tolerations/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-tolerations/add-tolerations.yaml" target="-blank">/other/add-tolerations/add-tolerations.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-tolerations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Tolerations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="l">Pod tolerations are used to schedule on Nodes which have</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="l">a matching taint. This policy adds the toleration `org.com/role=service:NoSchedule`</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="l">if existing tolerations do not contain the key `org.com/role`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">service-toleration</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;org.com/role&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.tolerations[].key || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> - op: add </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> path: &#34;/spec/tolerations/-&#34; </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> value: </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> key: org.com/role </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> operator: Equal </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> value: service </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> effect: NoSchedule</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-ttl-jobs/add-ttl-jobs/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-ttl-jobs/add-ttl-jobs/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-ttl-jobs/add-ttl-jobs.yaml" target="-blank">/other/add-ttl-jobs/add-ttl-jobs.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-ttl-jobs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add TTL to Jobs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Jobs which are user created can often pile up and consume </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> excess space in the cluster. In Kubernetes 1.23, the TTL-after-finished controller </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> is stable and will automatically clean up these Jobs if the ttlSecondsAfterFinished </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> is specified. This policy adds the ttlSecondsAfterFinished field to an Job that does </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> not have an ownerReference set if not already specified.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-ttlSecondsAfterFinished</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.ownerReferences || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">+(ttlSecondsAfterFinished)</span><span class="p">:</span><span class="w"> </span><span class="m">900</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/add-volume-deployment/add-volume-deployment/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/add-volume-deployment/add-volume-deployment/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/add-volume-deployment/add-volume-deployment.yaml" target="-blank">/other/add-volume-deployment/add-volume-deployment.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-volume</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Add Volume to Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, Volume</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Some Kubernetes applications like HashiCorp Vault must perform some modifications </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> to resources in order to invoke their specific functionality. Often times, that functionality </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> is controlled by the presence of a label or specific annotation. This policy, based on HashiCorp </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Vault, adds a volume and volumeMount to a Deployment if there is an annotation called </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> &#34;vault.k8s.corp.net/inject=enabled&#34; present.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-volume</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.template.metadata.annotations.\&#34;vault.k8s.corp.net/inject\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">enabled</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> - op: add </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> path: /spec/template/spec/volumes/- </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> value: </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> name: vault-secret </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> emptyDir: </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> medium: Memory </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> - op: add </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> path: /spec/template/spec/containers/0/volumeMounts/- </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> value: </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> mountPath: /secret </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> name: vault-secret</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/advanced-restrict-image-registries/advanced-restrict-image-registries/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/advanced-restrict-image-registries/advanced-restrict-image-registries/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml" target="-blank">/other/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">advanced-restrict-image-registries</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Advanced Restrict Image Registries</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In instances where a ClusterPolicy defines all the approved image registries </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> is insufficient, more granular control may be needed to set permitted registries, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> especially in multi-tenant use cases where some registries may be based on </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> the Namespace. This policy shows an advanced version of the Restrict Image Registries </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> policy which gets a global approved registry from a ConfigMap and, based upon an </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> annotation at the Namespace level, gets the registry approved for that Namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-corp-registries</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="c"># Get the value of the Namespace annotation called `corp.com/allowed-registries` and store. The value</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="c"># must end with a wildcard. Currently assumes there is only a single registry name in the value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">nsregistries</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{request.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;metadata.annotations.\&#34;corp.com/allowed-registries\&#34; || &#39;&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="c"># Get the ConfigMap in the `default` Namespace called `clusterregistries` and store. The value of the key</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="c"># must end with a wildcard. Currently assumes there is only a single registry name in the value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">clusterregistries</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">configMap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">clusterregistries</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">This Pod names an image that is not from an approved registry.</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="c"># Create a flattened array of all containers in the Pod.</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.[initContainers, ephemeralContainers, containers][]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="c"># Loop over every image and deny the Pod if any image doesn&#39;t match either the allowed registry in the</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="c"># cluster ConfigMap or the annotation on the Namespace where the Pod is created.</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.image}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{nsregistries}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.image}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{clusterregistries.data.registries}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml" target="-blank">/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">advanced-restrict-image-registries</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Advanced Restrict Image Registries in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In instances where a ClusterPolicy defines all the approved image registries </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> is insufficient, more granular control may be needed to set permitted registries, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> especially in multi-tenant use cases where some registries may be based on </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> the Namespace. This policy shows an advanced version of the Restrict Image Registries </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> policy which gets a global approved registry from a ConfigMap and, based upon an </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> annotation at the Namespace level, gets the registry approved for that Namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-corp-registries</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">paramKind</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">paramRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">clusterregistries</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">parameterNotFoundAction</span><span class="p">:</span><span class="w"> </span><span class="l">Deny</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">nsregistries</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> namespaceObject.metadata.?annotations[?&#39;corp.com/allowed-registries&#39;].orValue(&#39; &#39;)</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">clusterregistries</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;params.data[?&#39;registries&#39;].orValue(&#39; &#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.allContainers.all(container, container.image.startsWith(variables.nsregistries) || container.image.startsWith(variables.clusterregistries))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">This Pod names an image that is not from an approved registry.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/advertise-node-extended-resources/advertise-node-extended-resources/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/advertise-node-extended-resources/advertise-node-extended-resources/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/advertise-node-extended-resources/advertise-node-extended-resources.yaml" target="-blank">/other/advertise-node-extended-resources/advertise-node-extended-resources.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">advertise-node-extended-resources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Advertise Node Extended Resources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Kubernetes Nodes, in addition to standard compute resources like </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> CPU and memory, may offer extended resources such as FPGAs and GPUs, both </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> of which can be defined per custom design. These extended resources are </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> advertised in the `status` object of a Node. This policy, functional only </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> starting in Kyverno 1.9, adds the extended resource `example.com/dongle` with </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> a value/capacity of `2` to Kubernetes Nodes.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">advertise-dongle</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Node/status</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">status</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">capacity</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">example.com/dongle</span><span class="p">:</span><span class="w"> </span><span class="m">2</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/allowed-annotations/allowed-annotations/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/allowed-annotations/allowed-annotations/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/allowed-annotations/allowed-annotations.yaml" target="-blank">/other/allowed-annotations/allowed-annotations.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Allowed Annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Rather than creating a deny list of annotations, it may be more useful </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to invert that list and create an allow list which then denies any others. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy demonstrates how to allow two annotations with a specific key </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> name of fluxcd.io/ while denying others that do not meet the pattern.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-fluxcd-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.annotations.keys(@)[?contains(@, &#39;fluxcd.io/&#39;)] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="l">fluxcd.io/cow</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="l">fluxcd.io/dog</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/allowed-annotations/allowed-annotations/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/allowed-annotations/allowed-annotations/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/allowed-annotations/allowed-annotations.yaml" target="-blank">/other-cel/allowed-annotations/allowed-annotations.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Allowed Annotations in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Rather than creating a deny list of annotations, it may be more useful </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to invert that list and create an allow list which then denies any others. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy demonstrates how to allow two annotations with a specific key </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> name of fluxcd.io/ while denying others that do not meet the pattern.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-fluxcd-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> object.metadata.?annotations.orValue([]).all(annotation, !annotation.contains(&#39;fluxcd.io/&#39;) || annotation in [&#39;fluxcd.io/cow&#39;, &#39;fluxcd.io/dog&#39;])</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/allowed-base-images/allowed-base-images/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/allowed-base-images/allowed-base-images/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/allowed-base-images/allowed-base-images.yaml" target="-blank">/other/allowed-base-images/allowed-base-images.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-base-images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Allowed Base Images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Building images which specify a base as their origin is a good start </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to improving supply chain security, but over time organizations </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> may want to build an allow list of specific base images which </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> are allowed to be used when constructing containers. This policy ensures </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> that a container&#39;s base, found in an OCI annotation, is in a cluster-wide </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> allow list.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-base-images</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">baseimages</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">configMap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">baseimages</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">platform</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> This container image&#39;s base is not in the approved list or is not specified. Only pre-approved </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> base images may be used. Please contact the platform team for assistance.</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.[ephemeralContainers, initContainers, containers][]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imageData</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">basename</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">imageData.manifest.annotations.&#34;org.opencontainers.image.base.name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ basename }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ baseimages.data.allowedbaseimages }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/allowed-image-repos/allowed-image-repos/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/allowed-image-repos/allowed-image-repos/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/allowed-image-repos/allowed-image-repos.yaml" target="-blank">/other/allowed-image-repos/allowed-image-repos.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-image-repos</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Allowed Image Repositories</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> In addition to restricting the image registry from which images are pulled, in some cases </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> and environments it may be required to also restrict which image repositories are used, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> for example in some restricted Namespaces. This policy ensures that the only allowed </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> image repositories present in a given Pod, across any container type, come from the </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> designated list.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">good-repos</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> All images in this Pod must come from an authorized repository.</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ images.[containers, initContainers, ephemeralContainers][].*.name[] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="l">myknownimage</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="l">kyverno</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/allowed-label-changes/allowed-label-changes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/allowed-label-changes/allowed-label-changes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/allowed-label-changes/allowed-label-changes.yaml" target="-blank">/other/allowed-label-changes/allowed-label-changes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-label-changes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Allowed Label Changes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,Label</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> In some cases, operations teams need a type of limited access to </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> change resources during troubleshooting or outage mitigation. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy demonstrates how to prevent modification to labels </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> except one with the key `breakglass`. Changing, adding, or deleting </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> any other labels is denied.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-label</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The only label that may be removed or changed is `breakglass`.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.labels || `{}` | merge(@, {breakglass:null}) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.oldObject.metadata.labels || `{}` | merge(@, {breakglass:null}) }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/allowed-pod-priorities/allowed-pod-priorities/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/allowed-pod-priorities/allowed-pod-priorities/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/allowed-pod-priorities/allowed-pod-priorities.yaml" target="-blank">/other/allowed-pod-priorities/allowed-pod-priorities.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-podpriorities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Allowed Pod Priorities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> In certain cases where not all users in a cluster are trusted, a malicious user could create Pods </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> among them, the Pod is blocked.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-pod-priority</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">podprioritydict</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">configMap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-pod-priorities</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> The Pod PriorityClass {{ request.object.spec.priorityClassName }} is not in the list </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data.&#34;{{request.namespace}}&#34; }}.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.priorityClassName || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ podprioritydict.data.&#34;{{request.namespace}}&#34; || &#34;&#34; }}&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/allowed-pod-priorities/allowed-pod-priorities/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/allowed-pod-priorities/allowed-pod-priorities/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml" target="-blank">/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-podpriorities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Allowed Pod Priorities in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> In certain cases where not all users in a cluster are trusted, a malicious user could create Pods </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> among them, the Pod is blocked.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-pod-priority</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">paramKind</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">paramRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-pod-priorities</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">parameterNotFoundAction</span><span class="p">:</span><span class="w"> </span><span class="l">Deny</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespaceName</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;namespaceObject.metadata.name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">priorities</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.namespaceName in params.data ? params.data[variables.namespaceName].split(&#39;, &#39;) : []&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.priorities == [] || object.spec.priorityClassName in variables.priorities&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">messageExpression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> &#39;The Pod PriorityClass &#39; + object.spec.priorityClassName + </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="sd"> &#39; is not in the list of the following PriorityClasses allowed in this Namespace: &#39; + </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="sd"> params.data[variables.namespaceName]</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/always-pull-images/always-pull-images/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/always-pull-images/always-pull-images/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/always-pull-images/always-pull-images.yaml" target="-blank">/other/always-pull-images/always-pull-images.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">always-pull-images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Always Pull Images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> By default, images that have already been pulled can be accessed by other </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Pods without re-pulling them if the name and tag are known. In multi-tenant scenarios, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> this may be undesirable. This policy mutates all incoming Pods to set their </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> imagePullPolicy to Always. An alternative to the Kubernetes admission controller </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> AlwaysPullImages.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">always-pull-images</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">imagePullPolicy</span><span class="p">:</span><span class="w"> </span><span class="l">Always</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/annotate-base-images/annotate-base-images/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/annotate-base-images/annotate-base-images/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/annotate-base-images/annotate-base-images.yaml" target="-blank">/other/annotate-base-images/annotate-base-images.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">annotate-base-images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Annotate Base Images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> A base image used to construct a container image is not accessible </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> by any Kubernetes component and not a field in a Pod spec as it must </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> be fetched from a registry. Having this information available in the resource </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> referencing the containers helps to provide a clearer understanding of </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> its contents. This policy adds an annotation to a Pod or its controllers </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> with the base image used for each container if present in an OCI annotation.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mutate-base-image</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imageData</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">basename</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">imageData.manifest.annotations.&#34;org.opencontainers.image.base.name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> - path: &#34;/metadata/annotations/kyverno.io~1baseimages{{elementIndex}}&#34; </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> op: add </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> value: &#34;{{basename}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/argo/application-field-validation/application-field-validation/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/argo/application-field-validation/application-field-validation/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//argo/application-field-validation/application-field-validation.yaml" target="-blank">/argo/application-field-validation/application-field-validation.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">application-field-validation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Application Field Validation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Argo</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy performs some best practices validation on Application fields. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Path or chart must be specified but never both. And destination.name or </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> destination.server must be specified but never both.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">source-path-chart</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> `spec.source.path` OR `spec.source.chart` should be specified but never both.</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">anyPattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;?*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">X(chart)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">X(path)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">chart</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;?*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">destination-server-name</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> `spec.destination.server` OR `spec.destination.name` should be specified but never both.</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">anyPattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">destination</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;?*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">X(name)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">destination</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">X(server)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;?*&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/argo-cel/application-field-validation/application-field-validation/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/argo-cel/application-field-validation/application-field-validation/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//argo-cel/application-field-validation/application-field-validation.yaml" target="-blank">/argo-cel/application-field-validation/application-field-validation.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">application-field-validation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Application Field Validation in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Argo in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy performs some best practices validation on Application fields. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Path or chart must be specified but never both. And destination.name or </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> destination.server must be specified but never both.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">source-path-chart</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> has(object.spec.source) &amp;&amp; </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> ( </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> (has(object.spec.source.path) &amp;&amp; !has(object.spec.source.chart)) || </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> (!has(object.spec.source.path) &amp;&amp; has(object.spec.source.chart)) </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> )</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> `spec.source.path` OR `spec.source.chart` should be specified but never both.</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">destination-server-name</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="sd"> has(object.spec.destination) &amp;&amp; </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="sd"> ( </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="sd"> (has(object.spec.destination.server) &amp;&amp; !has(object.spec.destination.name)) || </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="sd"> (!has(object.spec.destination.server) &amp;&amp; has(object.spec.destination.name)) </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="sd"> )</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="sd"> `spec.destination.server` OR `spec.destination.name` should be specified but never both.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/apply-pss-restricted-profile/apply-pss-restricted-profile/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/apply-pss-restricted-profile/apply-pss-restricted-profile/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/apply-pss-restricted-profile/apply-pss-restricted-profile.yaml" target="-blank">/other/apply-pss-restricted-profile/apply-pss-restricted-profile.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">apply-pss-restricted-profile</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Apply PSS Restricted Profile</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, PSP Migration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Pod Security Standards define the fields and their options which </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> are allowable for Pods to achieve certain security best practices. While </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> these are typically validation policies, workloads will either be accepted or </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> rejected based upon what has already been defined. It is also possible to mutate </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> incoming Pods to achieve the desired PSS level rather than reject. This policy </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> sets all the fields necessary to pass the PSS Restricted profile. Note that it does </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> not attempt to remove non-compliant volumes and volumeMounts. Additional policies </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> may be employed for this purpose.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-pss-fields</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">seccompProfile</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">RuntimeDefault</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">runAsUser</span><span class="p">:</span><span class="w"> </span><span class="m">1000</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="m">3000</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">fsGroup</span><span class="p">:</span><span class="w"> </span><span class="m">2000</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">privileged</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">capabilities</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">drop</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">ALL</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">allowPrivilegeEscalation</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml" target="-blank">/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">argo-cluster-generation-from-rancher-capi</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Argo Cluster Secret Generation From Rancher CAPI Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Argo</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 14</span><span class="cl"><span class="sd"> This policy generates and synchronizes Argo CD cluster secrets from Rancher </span></span></span><span class="line"><span class="ln"> 15</span><span class="cl"><span class="sd"> managed cluster.provisioning.cattle.io/v1 resources and their corresponding CAPI secrets. </span></span></span><span class="line"><span class="ln"> 16</span><span class="cl"><span class="sd"> In this solution, Argo CD integrates with Rancher managed clusters via the central </span></span></span><span class="line"><span class="ln"> 17</span><span class="cl"><span class="sd"> Rancher authentication proxy which shares the network endpoint of the Rancher API/GUI. </span></span></span><span class="line"><span class="ln"> 18</span><span class="cl"><span class="sd"> The policy implements work-arounds for Argo CD issue https://github.com/argoproj/argo-cd/issues/9033 </span></span></span><span class="line"><span class="ln"> 19</span><span class="cl"><span class="sd"> &#34;Cluster-API cluster auto-registration&#34; and Rancher issue https://github.com/rancher/rancher/issues/38053 </span></span></span><span class="line"><span class="ln"> 20</span><span class="cl"><span class="sd"> &#34;Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret&#34;.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 22</span><span class="cl"><span class="w"> </span><span class="nt">generateExisting</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">source-rancher-non-local-cluster-and-capi-secret</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 26</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 29</span><span class="cl"><span class="w"> </span>- <span class="l">provisioning.cattle.io/v1/Cluster</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 30</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 31</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 32</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 33</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 34</span><span class="cl"><span class="w"> </span>- <span class="l">fleet-local</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 35</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">clusterName</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 37</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 38</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 39</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;to_string(@)&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 40</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">clusterPrefixedName</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 41</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 42</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ join(&#39;-&#39;, [&#39;cluster&#39;, clusterName]) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 43</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;to_string(@)&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 44</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kubeconfigName</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 45</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 46</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ join(&#39;-&#39;, [clusterName, &#39;kubeconfig&#39;]) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 47</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;to_string(@)&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 48</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">extraLabels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 49</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 50</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 51</span><span class="cl"><span class="w"> </span><span class="nt">argocd.argoproj.io/secret-type</span><span class="p">:</span><span class="w"> </span><span class="l">cluster</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 52</span><span class="cl"><span class="w"> </span><span class="nt">clusterId</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ clusterName }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 53</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">metadataLabels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 54</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 55</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.metadata.labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 56</span><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="ln"> 57</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">metadataLabels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 58</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 59</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">merge(metadataLabels, extraLabels)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 60</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kubeconfigData</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 61</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 62</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{kubeconfigName}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 63</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;data | to_string(@)&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 64</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">serverName</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 65</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 66</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ kubeconfigData | parse_yaml(@).value | base64_decode(@) | parse_yaml(@).clusters[0].cluster.server }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 67</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;to_string(@)&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 68</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">bearerToken</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 69</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 70</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ kubeconfigData | parse_yaml(@).token | base64_decode(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 71</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;to_string(@)&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 72</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">caData</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 73</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 74</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ kubeconfigData | parse_yaml(@).value | base64_decode(@) | parse_yaml(@).clusters[0].cluster.\&#34;certificate-authority-data\&#34; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 75</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;to_string(@)&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 76</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">dataConfig</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 77</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 78</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 79</span><span class="cl"><span class="sd"> { </span></span></span><span class="line"><span class="ln"> 80</span><span class="cl"><span class="sd"> &#34;bearerToken&#34;: &#34;{{ bearerToken }}&#34;, </span></span></span><span class="line"><span class="ln"> 81</span><span class="cl"><span class="sd"> &#34;tlsClientConfig&#34;: { </span></span></span><span class="line"><span class="ln"> 82</span><span class="cl"><span class="sd"> &#34;insecure&#34;: false, </span></span></span><span class="line"><span class="ln"> 83</span><span class="cl"><span class="sd"> &#34;caData&#34;: &#34;{{ caData }}&#34; </span></span></span><span class="line"><span class="ln"> 84</span><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="ln"> 85</span><span class="cl"><span class="sd"> }</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 86</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;to_string(@)&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 87</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 88</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 89</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 90</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 91</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ clusterPrefixedName }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 92</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">argocd</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 93</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 94</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 95</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 96</span><span class="cl"><span class="w"> </span><span class="s2">&#34;{{ metadataLabels }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 97</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Opaque</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 98</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 99</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ clusterPrefixedName | base64_encode(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">100</span><span class="cl"><span class="w"> </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ serverName | base64_encode(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">101</span><span class="cl"><span class="w"> </span><span class="nt">config</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ dataConfig | base64_encode(@) }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/audit-event-on-delete/audit-event-on-delete/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/audit-event-on-delete/audit-event-on-delete/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/audit-event-on-delete/audit-event-on-delete.yaml" target="-blank">/other/audit-event-on-delete/audit-event-on-delete.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">audit-event-on-delete</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Audit Event on Delete</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Kubernetes Events are limited in that the circumstances under which they are created </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> cannot be changed and with what they are associated is fixed. It may be advantageous </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> in many cases to augment these out-of-the-box Events with custom Events which can be </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> custom designed to your needs. This policy generates an Event when a Secret has been </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> deleted. It lists the userInfo of the actor performing the deletion.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">generate-event-on-delete</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Event</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;delete.{{ random(&#39;[a-z0-9]{12}&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">firstTimestamp</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ time_now_utc() }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">involvedObject</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.namespace }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">uid</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.oldObject.metadata.uid}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">lastTimestamp</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ time_now_utc() }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The {{ request.name }} Secret was deleted by {{ request.userInfo | to_string(@) }}.</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">reason</span><span class="p">:</span><span class="w"> </span><span class="l">Delete</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">component</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Warning</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/audit-event-on-exec/audit-event-on-exec/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/audit-event-on-exec/audit-event-on-exec/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/audit-event-on-exec/audit-event-on-exec.yaml" target="-blank">/other/audit-event-on-exec/audit-event-on-exec.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">audit-event-on-exec</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Audit Event on Pod Exec</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Kubernetes Events are limited in that the circumstances under which they are created </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> cannot be changed and with what they are associated is fixed. It may be advantageous </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> in many cases to augment these out-of-the-box Events with custom Events which can be </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> custom designed to your needs. This policy generates an Event on a Pod when an exec </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> has been made to it. It lists the userInfo of the actor performing the exec along </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> with the command used in the exec.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">generate-event-on-exec</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod/exec</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">parentPodUID</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{request.namespace}}/pods/{{request.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;metadata.uid&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Event</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;exec.{{ random(&#39;[a-z0-9]{6}&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">firstTimestamp</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ time_now_utc() }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">involvedObject</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.namespace }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">uid</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ parentPodUID }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">lastTimestamp</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ time_now_utc() }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">An exec was performed by {{ request.userInfo | to_string(@) }} running commands {{ request.object.command }}</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">reason</span><span class="p">:</span><span class="w"> </span><span class="l">Exec</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">component</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Warning</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/velero/backup-all-volumes/backup-all-volumes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/velero/backup-all-volumes/backup-all-volumes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//velero/backup-all-volumes/backup-all-volumes.yaml" target="-blank">/velero/backup-all-volumes/backup-all-volumes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">backup-all-volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Backup All Volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Velero</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.25&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> In order for Velero to backup volumes in a Pod using an opt-in approach, it </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> requires an annotation on the Pod called `backup.velero.io/backup-volumes` with the </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> value being a comma-separated list of the volumes mounted to that Pod. This policy </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> automatically annotates Pods (and Pod controllers) which refer to a PVC so that </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> all volumes are listed in the aforementioned annotation if a Namespace with the label </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> `velero-backup-pvc=true`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">backup-velero-pv</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">namespaceSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">velero-backup-pvc</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.volumes[?contains(keys(@), &#39;persistentVolumeClaim&#39;)] | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">join(&#39;,&#39;,request.object.spec.volumes[?persistentVolumeClaim].name)</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">backup.velero.io/backup-volumes</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ volumes }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline.yaml" target="-blank">/pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">podsecurity-subrule-baseline</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Baseline Pod Security Standards</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The baseline profile of the Pod Security Standards is a collection of the </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> most basic and important steps that can be taken to secure Pods. Beginning </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> with Kyverno 1.8, an entire profile may be assigned to the cluster through a </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> single rule. This policy configures the baseline profile through the latest </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> version of the Pod Security Standards cluster wide.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">baseline</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">podSecurity</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">baseline</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="l">latest</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/block-cluster-admin-from-ns/block-cluster-admin-from-ns/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/block-cluster-admin-from-ns/block-cluster-admin-from-ns/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml" target="-blank">/other/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-cluster-admin-from-ns</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block cluster-admin from modifying any object in a Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace, ClusterRole, User </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> In some cases, it may be desirable to block operations of certain privileged users </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> (i.e. cluster-admins) in a specific namespace. In this policy, Kyverno will look for all user operations </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> (CREATE, UPDATE, DELETE), on every object kind, in the testnamespace namespace, and for the </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> ClusterRole cluster-admin. The user testuser is also mentioned so it won&#39;t include all the cluster-admins in </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the cluster, but will be flexible enough to apply only for a sub-group of the cluster-admins in the cluster.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-cluster-admin-from-ns</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">testnamespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">clusterRoles</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">cluster-admin</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">User</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">testuser</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The cluster-admin &#39;testuser&#39; user cannot touch testnamespace Namespace.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">DELETE</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/block-ephemeral-containers/block-ephemeral-containers/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/block-ephemeral-containers/block-ephemeral-containers/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/block-ephemeral-containers/block-ephemeral-containers.yaml" target="-blank">/other/block-ephemeral-containers/block-ephemeral-containers.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-ephemeral-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Ephemeral Containers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> `kubectl debug` functionality and attach a temporary container to an existing Pod. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This may potentially be used to gain access to unauthorized information executing inside </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> one or more containers in that Pod. This policy blocks the use of ephemeral containers.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-ephemeral-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Ephemeral (debug) containers are not permitted.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">X(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/block-ephemeral-containers/block-ephemeral-containers/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/block-ephemeral-containers/block-ephemeral-containers/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml" target="-blank">/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-ephemeral-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Ephemeral Containers in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> `kubectl debug` functionality and attach a temporary container to an existing Pod. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This may potentially be used to gain access to unauthorized information executing inside </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> one or more containers in that Pod. This policy blocks the use of ephemeral containers.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-ephemeral-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!has(object.spec.ephemeralContainers)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Ephemeral (debug) containers are not permitted.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/block-images-with-volumes/block-images-with-volumes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/block-images-with-volumes/block-images-with-volumes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/block-images-with-volumes/block-images-with-volumes.yaml" target="-blank">/other/block-images-with-volumes/block-images-with-volumes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-images-with-volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Images with Volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> OCI images may optionally be built with VOLUME statements which, if run </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> in read-only mode, would still result in write access to the specified location. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This may be unexpected and undesirable. This policy checks the contents of every </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> container image and inspects them for such VOLUME statements, then blocks if found.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-images-with-vols</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Images containing built-in volumes are prohibited.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imageData</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ imageData.configData.config.Volumes || &#39;&#39; | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/block-large-images/block-large-images/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/block-large-images/block-large-images/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/block-large-images/block-large-images.yaml" target="-blank">/other/block-large-images/block-large-images.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-large-images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Large Images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pods which run containers of very large image size take longer to pull </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> and require more space to store. A user may either inadvertently or purposefully </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> name an image which is unusually large to disrupt operations. This policy </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> checks the size of every container image and blocks if it is over 2 Gibibytes.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-over-twogi</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;images with size greater than 2Gi not allowed&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imageSize</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="c"># Note that we need to use `to_string` here to allow kyverno to treat it like a resource quantity of type memory</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="c"># the total size of an image as calculated by docker is the total sum of its layer sizes</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;to_string(sum(manifest.layers[*].size))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;2Gi&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">LessThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{imageSize}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label.yaml" target="-blank">/other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-exec-by-namespace-label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Pod Exec by Namespace Label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> The `exec` command may be used to gain shell access, or run other commands, in a Pod&#39;s container. While this can </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy blocks Pod exec commands based upon a Namespace label `exec=false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-exec-by-ns-label</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Pod/exec</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">nslabelexec</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{request.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;metadata.labels.exec || &#39;&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CONNECT</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Executing a command in a container is forbidden for Pods running in Namespaces protected with the label &#34;exec=false&#34;.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ nslabelexec }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/block-pod-exec-by-namespace/block-pod-exec-by-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/block-pod-exec-by-namespace/block-pod-exec-by-namespace/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml" target="-blank">/other/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-exec-by-namespace-name</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Pod Exec by Namespace Name</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> The `exec` command may be used to gain shell access, or run other commands, in a Pod&#39;s container. While this can </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy blocks Pod exec commands to Pods in a Namespace called `pci`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-exec-ns-pci</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Pod/exec</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CONNECT</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Pods in this namespace may not be exec&#39;d into.</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.namespace }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">pci</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container.yaml" target="-blank">/other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-exec-by-pod-and-container</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Pod Exec by Pod and Container</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> The `exec` command may be used to gain shell access, or run other commands, in a Pod&#39;s container. While this can </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy blocks Pod exec commands to containers named `nginx` in Pods starting </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> with name `myapp-maintenance`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-nginx-exec-in-myapp-maintenance</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod/exec</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CONNECT</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">myapp-maintenance*</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Nginx containers inside myapp-maintanence Pods may not be exec&#39;d into.</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.container }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml" target="-blank">/other/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-exec-by-pod-label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Pod Exec by Pod Label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> The `exec` command may be used to gain shell access, or run other commands, in a Pod&#39;s container. While this can </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy blocks Pod exec commands to Pods having the label `exec=false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-exec-by-label</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Pod/exec</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">podexeclabel</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{request.namespace}}/pods/{{request.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;metadata.labels.exec || &#39;&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CONNECT</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Exec&#39;ing into Pods protected with the label `exec=false` is forbidden.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ podexeclabel }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml" target="-blank">/other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-exec-by-pod-name</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Pod Exec by Pod Name</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> The `exec` command may be used to gain shell access, or run other commands, in a Pod&#39;s container. While this can </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy blocks Pod exec commands to Pods beginning with the name </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> `myapp-maintenance-`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-exec-myapp-maintenance</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod/exec</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CONNECT</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Exec&#39;ing into Pods called &#34;myapp-maintenance&#34; is not allowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">myapp-maintenance-*</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/block-stale-images/block-stale-images/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/block-stale-images/block-stale-images/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/block-stale-images/block-stale-images.yaml" target="-blank">/other/block-stale-images/block-stale-images.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-stale-images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Stale Images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Images that are old usually have some open security vulnerabilities which are not patched. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy checks the contents of every container image and inspects them for the create time. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> If it finds any image which was built more than 6 months ago this policy blocks the deployment.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit </span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-stale-images</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Images built more than 6 months ago are prohibited.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imageData</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ time_since(&#39;&#39;, &#39;{{ imageData.configData.created }}&#39;, &#39;&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">4380h</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/tekton/block-tekton-task-runs/block-tekton-task-runs/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/tekton/block-tekton-task-runs/block-tekton-task-runs/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//tekton/block-tekton-task-runs/block-tekton-task-runs.yaml" target="-blank">/tekton/block-tekton-task-runs/block-tekton-task-runs.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-tekton-task-runs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Tekton TaskRun</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Tekton</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">TaskRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Restrict creation of TaskRun resources to the Tekton pipelines controller.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-taskrun-user</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">TaskRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">User </span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;system:serviceaccount:tekton-pipelines:tekton-pipelines-controller&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Creating a TaskRun is not allowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/tekton-cel/block-tekton-task-runs/block-tekton-task-runs/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/tekton-cel/block-tekton-task-runs/block-tekton-task-runs/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//tekton-cel/block-tekton-task-runs/block-tekton-task-runs.yaml" target="-blank">/tekton-cel/block-tekton-task-runs/block-tekton-task-runs.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-tekton-task-runs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Tekton TaskRun in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Tekton in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">TaskRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Restrict creation of TaskRun resources to the Tekton pipelines controller.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-taskrun-user</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">TaskRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">User </span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;system:serviceaccount:tekton-pipelines:tekton-pipelines-controller&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Creating a TaskRun is not allowed.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/block-updates-deletes/block-updates-deletes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/block-updates-deletes/block-updates-deletes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/block-updates-deletes/block-updates-deletes.yaml" target="-blank">/other/block-updates-deletes/block-updates-deletes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-updates-deletes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Updates and Deletes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="sd"> Kubernetes RBAC allows for controls on kinds of resources or those </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> with specific names. But it does not have the type of granularity often </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> required in more complex environments. This policy restricts updates and deletes to any </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Service resource that contains the label `protected=true` unless by </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> a cluster-admin.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-updates-deletes</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">protected</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">clusterRoles</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">cluster-admin</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;This resource is protected and changes are not allowed. Please seek a cluster-admin.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/velero/block-velero-restore/block-velero-restore/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/velero/block-velero-restore/block-velero-restore/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//velero/block-velero-restore/block-velero-restore.yaml" target="-blank">/velero/block-velero-restore/block-velero-restore.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-velero-restore</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Velero Restore to Protected Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Velero</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Restore</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="sd"> Velero allows on backup and restore operations and is designed to be run with full cluster admin permissions. </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> It allows on cross namespace restore operations, which means you can restore backup of namespace A to namespace B. </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> This policy protect restore operation into system or any protected namespaces, listed in deny condition section. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> It checks the Restore CRD object and its namespaceMapping field. If destination match protected namespace </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> then operation fails and warning message is throw.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-velero-restore-to-protected-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">velero.io/v1/Restore</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Warning! Restore to protected namespace: {{request.object.spec.namespaceMapping | values(@)}} is not allowed!&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.namespaceMapping || `{}` | values(@)}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">kube-node-lease</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/velero-cel/block-velero-restore/block-velero-restore/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/velero-cel/block-velero-restore/block-velero-restore/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//velero-cel/block-velero-restore/block-velero-restore.yaml" target="-blank">/velero-cel/block-velero-restore/block-velero-restore.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-velero-restore</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Block Velero Restore to Protected Namespace in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Velero in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Restore</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Velero allows on backup and restore operations and is designed to be run with full cluster admin permissions. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> It allows on cross namespace restore operations, which means you can restore backup of namespace A to namespace B. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy protect restore operation into system or any protected namespaces, listed in deny condition section. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> It checks the Restore CRD object and its namespaceMapping field. If destination match protected namespace </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> then operation fails and warning message is throw.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-velero-restore-to-protected-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">velero.io/v1/Restore</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespaceMappingValues</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has(object.spec.namespaceMapping) ? object.spec.namespaceMapping.map(nsmap, object.spec.namespaceMapping[nsmap]) : []&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!variables.namespaceMappingValues.exists(val, val in [&#39;kube-system&#39;, &#39;kube-node-lease&#39;])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">messageExpression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#39;Warning! Restore to protected namespace: &#39; + variables.namespaceMappingValues.join(&#39;, &#39;) + &#39; is not allowed!&#39;&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/cert-manager/limit-duration/limit-duration/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/cert-manager/limit-duration/limit-duration/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//cert-manager/limit-duration/limit-duration.yaml" target="-blank">/cert-manager/limit-duration/limit-duration.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cert-manager-limit-duration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Certificate max duration 100 days</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Cert-Manager</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Certificate</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Kubernetes managed non-letsencrypt certificates have to be renewed in every 100 days.</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">certificate-duration-max-100days </span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="l">Certificate</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ contains(request.object.spec.issuerRef.name, &#39;letsencrypt&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">False</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.duration }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;certificate duration must be &lt; than 2400h (100 days)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ max( [ to_number(regex_replace_all(&#39;h.*&#39;,request.object.spec.duration,&#39;&#39;)), to_number(&#39;2400&#39;) ] ) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">2400</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/dns-policy-and-dns-config/dns-policy-and-dns-config/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/dns-policy-and-dns-config/dns-policy-and-dns-config/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/dns-policy-and-dns-config/dns-policy-and-dns-config.yaml" target="-blank">/other/dns-policy-and-dns-config/dns-policy-and-dns-config.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">change-dns-config-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Change DNS Config and Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> The Default DNS policy in Kubernetes gives the flexibility of service </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> access; however, it costs some latency on a high scale, and it needs to </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> be optimized. This policy helps us to optimize the performance of DNS </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> queries by setting DNS Options, nodelocalDNS IP, and search Domains. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy can be applied for the clusters provisioned by kubeadm.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">dns-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">dictionary</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">configMap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="c"># kubelet-config cm would also works by using clusterDomain </span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="c"># instead of clusterName; but kubeadm-config sounds more reliable</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="c"># when considering kubelet-config is changed every cluster upgrade, etc.</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kubeadm-config </span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.dnsPolicy || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterFirst</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterFirstWithHostNet</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">None</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">dnsConfig</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">nameservers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="c"># NodelocalDNS IP</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="m">169.254.25.10</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">options</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">timeout</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ndots</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;2&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">attempts</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">searches</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="l">svc.{{dictionary.data.ClusterConfiguration | parse_yaml(@).clusterName}}</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{ request.namespace }}.svc.{{ dictionary.data.ClusterConfiguration | parse_yaml(@).clusterName }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">dnsPolicy</span><span class="p">:</span><span class="w"> </span><span class="l">None</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-data-protection-by-label/kasten-data-protection-by-label/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-data-protection-by-label/kasten-data-protection-by-label/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kasten/kasten-data-protection-by-label/kasten-data-protection-by-label.yaml" target="-blank">/kasten/kasten-data-protection-by-label/kasten-data-protection-by-label.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-data-protection-by-label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Data Protection By Label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Veeam Kasten</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24-1.30&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Check the &#39;dataprotection&#39; label for production Deployments and StatefulSet workloads. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Use in combination with &#39;kasten-generate-example-backup-policy&#39; policy to generate a Kasten policy for the workload namespace, if it doesn&#39;t already exist.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-data-protection-by-label</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">purpose</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> &#34;Deployments and StatefulSets with &#39;purpose=production&#39; label must specify a valid &#39;dataprotection&#39; label: </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> &#34;dataprotection=kasten-example&#34; - &lt;Insert human readable settings for each option&gt; </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> &#34;dataprotection=none&#34; - No local snapshots or backups</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">dataprotection</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;kasten-example|none&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml" target="-blank">/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k10-data-protection-by-label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Data Protection By Label in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Kasten K10 by Veeam in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Check the &#39;dataprotection&#39; label that production Deployments and StatefulSet have a named K10 Policy. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Use in combination with &#39;generate&#39; ClusterPolicy to &#39;generate&#39; a specific K10 Policy by name.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k10-data-protection-by-label</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">purpose</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.metadata.?labels.?dataprotection.orValue(&#39;&#39;).startsWith(&#39;k10-&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Deployments and StatefulSets that specify &#39;dataprotection&#39; label must have a valid k10-?* name (use labels: dataprotection: k10-&lt;policyname&gt;)&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/check-deprecated-apis/check-deprecated-apis/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/check-deprecated-apis/check-deprecated-apis/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/check-deprecated-apis/check-deprecated-apis.yaml" target="-blank">/best-practices/check-deprecated-apis/check-deprecated-apis.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-deprecated-apis</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check deprecated APIs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Kubernetes APIs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.4</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.4</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 13</span><span class="cl"><span class="sd"> Kubernetes APIs are sometimes deprecated and removed after a few releases. </span></span></span><span class="line"><span class="ln"> 14</span><span class="cl"><span class="sd"> As a best practice, older API versions should be replaced with newer versions. </span></span></span><span class="line"><span class="ln"> 15</span><span class="cl"><span class="sd"> This policy validates for APIs that are deprecated or scheduled for removal. </span></span></span><span class="line"><span class="ln"> 16</span><span class="cl"><span class="sd"> Note that checking for some of these resources may require modifying the Kyverno </span></span></span><span class="line"><span class="ln"> 17</span><span class="cl"><span class="sd"> ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind </span></span></span><span class="line"><span class="ln"> 18</span><span class="cl"><span class="sd"> has been commented out due to a check for this kind having a performance penalty </span></span></span><span class="line"><span class="ln"> 19</span><span class="cl"><span class="sd"> on Kubernetes clusters with many leases. Its enabling should be attended carefully </span></span></span><span class="line"><span class="ln"> 20</span><span class="cl"><span class="sd"> and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 </span></span></span><span class="line"><span class="ln"> 21</span><span class="cl"><span class="sd"> so therefore the validate-v1-25-removals rule may not completely work on 1.25+. </span></span></span><span class="line"><span class="ln"> 22</span><span class="cl"><span class="sd"> This policy requires Kyverno v1.7.4+ to function properly.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 23</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 24</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 25</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 26</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 27</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-v1-25-removals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 28</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 29</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 30</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 31</span><span class="cl"><span class="w"> </span><span class="c"># NOTE: PodSecurityPolicy is completely removed in 1.25.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 32</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 33</span><span class="cl"><span class="w"> </span>- <span class="l">batch/*/CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 34</span><span class="cl"><span class="w"> </span>- <span class="l">discovery.k8s.io/*/EndpointSlice</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 35</span><span class="cl"><span class="w"> </span>- <span class="l">events.k8s.io/*/Event</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 36</span><span class="cl"><span class="w"> </span>- <span class="l">policy/*/PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 37</span><span class="cl"><span class="w"> </span>- <span class="l">policy/*/PodSecurityPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 38</span><span class="cl"><span class="w"> </span>- <span class="l">node.k8s.io/*/RuntimeClass</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 39</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 40</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.apiVersion}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 45</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 46</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 47</span><span class="cl"><span class="w"> </span>- <span class="l">batch/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 48</span><span class="cl"><span class="w"> </span>- <span class="l">discovery.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 49</span><span class="cl"><span class="w"> </span>- <span class="l">events.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 50</span><span class="cl"><span class="w"> </span>- <span class="l">policy/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 51</span><span class="cl"><span class="w"> </span>- <span class="l">node.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 52</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 53</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 54</span><span class="cl"><span class="sd"> {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25. </span></span></span><span class="line"><span class="ln"> 55</span><span class="cl"><span class="sd"> See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 56</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="ln"> 57</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-v1-26-removals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 58</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 59</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 60</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 61</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 62</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/*/FlowSchema</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 63</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 64</span><span class="cl"><span class="w"> </span>- <span class="l">autoscaling/*/HorizontalPodAutoscaler</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 65</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 66</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 67</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 68</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 69</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 70</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.apiVersion}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 71</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 72</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 73</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 74</span><span class="cl"><span class="w"> </span>- <span class="l">autoscaling/v2beta2</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 75</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 76</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 77</span><span class="cl"><span class="sd"> {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26. </span></span></span><span class="line"><span class="ln"> 78</span><span class="cl"><span class="sd"> See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 79</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="ln"> 80</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-v1-27-removals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 81</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 82</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 83</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 84</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 85</span><span class="cl"><span class="w"> </span>- <span class="l">storage.k8s.io/*/CSIStorageCapacity</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 86</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 87</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 88</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 89</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 90</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 91</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.apiVersion}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 92</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 93</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 94</span><span class="cl"><span class="w"> </span>- <span class="l">storage.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 95</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 96</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 97</span><span class="cl"><span class="sd"> {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27. </span></span></span><span class="line"><span class="ln"> 98</span><span class="cl"><span class="sd"> See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 99</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="ln">100</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-v1-29-removals</span><span class="w"> </span></span></span><span class="line"><span class="ln">101</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">102</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">103</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">104</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">105</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/*/FlowSchema</span><span class="w"> </span></span></span><span class="line"><span class="ln">106</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration</span><span class="w"> </span></span></span><span class="line"><span class="ln">107</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">108</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">109</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">110</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">111</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">112</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.apiVersion}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">113</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">114</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">115</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/v1beta2</span><span class="w"> </span></span></span><span class="line"><span class="ln">116</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">117</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">118</span><span class="cl"><span class="sd"> {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29. </span></span></span><span class="line"><span class="ln">119</span><span class="cl"><span class="sd"> See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/</span><span class="w"> </span></span></span><span class="line"><span class="ln">120</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="ln">121</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-v1-32-removals</span><span class="w"> </span></span></span><span class="line"><span class="ln">122</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">123</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">124</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">125</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">126</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/*/FlowSchema</span><span class="w"> </span></span></span><span class="line"><span class="ln">127</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration</span><span class="w"> </span></span></span><span class="line"><span class="ln">128</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">129</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">130</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">131</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">132</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">133</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.apiVersion}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">134</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">135</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">136</span><span class="cl"><span class="w"> </span>- <span class="w"> </span><span class="l">flowcontrol.apiserver.k8s.io/v1beta3</span><span class="w"> </span></span></span><span class="line"><span class="ln">137</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">138</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">139</span><span class="cl"><span class="sd"> {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.32. </span></span></span><span class="line"><span class="ln">140</span><span class="cl"><span class="sd"> See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/</span><span class="w"> </span></span></span><span class="line"><span class="ln">141</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/check-deprecated-apis/check-deprecated-apis/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/check-deprecated-apis/check-deprecated-apis/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml" target="-blank">/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-deprecated-apis</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check deprecated APIs in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Kubernetes APIs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 12</span><span class="cl"><span class="sd"> Kubernetes APIs are sometimes deprecated and removed after a few releases. </span></span></span><span class="line"><span class="ln"> 13</span><span class="cl"><span class="sd"> As a best practice, older API versions should be replaced with newer versions. </span></span></span><span class="line"><span class="ln"> 14</span><span class="cl"><span class="sd"> This policy validates for APIs that are deprecated or scheduled for removal. </span></span></span><span class="line"><span class="ln"> 15</span><span class="cl"><span class="sd"> Note that checking for some of these resources may require modifying the Kyverno </span></span></span><span class="line"><span class="ln"> 16</span><span class="cl"><span class="sd"> ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 </span></span></span><span class="line"><span class="ln"> 17</span><span class="cl"><span class="sd"> so therefore the validate-v1-25-removals rule may not completely work on 1.25+.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-v1-25-removals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 26</span><span class="cl"><span class="w"> </span><span class="c"># NOTE: PodSecurityPolicy is completely removed in 1.25.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 28</span><span class="cl"><span class="w"> </span>- <span class="l">batch/*/CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 29</span><span class="cl"><span class="w"> </span>- <span class="l">discovery.k8s.io/*/EndpointSlice</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 30</span><span class="cl"><span class="w"> </span>- <span class="l">events.k8s.io/*/Event</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 31</span><span class="cl"><span class="w"> </span>- <span class="l">policy/*/PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 32</span><span class="cl"><span class="w"> </span>- <span class="l">policy/*/PodSecurityPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 33</span><span class="cl"><span class="w"> </span>- <span class="l">node.k8s.io/*/RuntimeClass</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 34</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;allowed-api-versions&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 36</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.apiVersion in [&#39;batch/v1beta1&#39;, &#39;discovery.k8s.io/v1beta1&#39;, &#39;events.k8s.io/v1beta1&#39;, &#39;policy/v1beta1&#39;, &#39;node.k8s.io/v1beta1&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 38</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 39</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 40</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 41</span><span class="cl"><span class="w"> </span><span class="nt">messageExpression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 42</span><span class="cl"><span class="sd"> object.apiVersion + &#39;/&#39; + object.kind + &#39; is deprecated and will be removed in v1.25. </span></span></span><span class="line"><span class="ln"> 43</span><span class="cl"><span class="sd"> See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 44</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-v1-26-removals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 45</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 46</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 47</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 48</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 49</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/*/FlowSchema</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 50</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 51</span><span class="cl"><span class="w"> </span>- <span class="l">autoscaling/*/HorizontalPodAutoscaler</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 52</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 53</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;allowed-api-versions&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 54</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.apiVersion in [&#39;flowcontrol.apiserver.k8s.io/v1beta1&#39;, &#39;autoscaling/v2beta2&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 55</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 56</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 57</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 58</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 59</span><span class="cl"><span class="w"> </span><span class="nt">messageExpression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 60</span><span class="cl"><span class="sd"> object.apiVersion + &#39;/&#39; + object.kind + &#39; is deprecated and will be removed in v1.26. </span></span></span><span class="line"><span class="ln"> 61</span><span class="cl"><span class="sd"> See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 62</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-v1-27-removals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 63</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 64</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 65</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 66</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 67</span><span class="cl"><span class="w"> </span>- <span class="l">storage.k8s.io/*/CSIStorageCapacity</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 68</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 69</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;allowed-api-versions&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 70</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.apiVersion in [&#39;storage.k8s.io/v1beta1&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 71</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 72</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 73</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 74</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 75</span><span class="cl"><span class="w"> </span><span class="nt">messageExpression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 76</span><span class="cl"><span class="sd"> object.apiVersion + &#39;/&#39; + object.kind + &#39; is deprecated and will be removed in v1.27. </span></span></span><span class="line"><span class="ln"> 77</span><span class="cl"><span class="sd"> See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 78</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-v1-29-removals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 79</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 80</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 81</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 82</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 83</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/*/FlowSchema</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 84</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 85</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 86</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.apiVersion&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 87</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.apiVersion in [&#39;flowcontrol.apiserver.k8s.io/v1beta2&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 88</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 89</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 90</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 91</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 92</span><span class="cl"><span class="w"> </span><span class="nt">messageExpression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 93</span><span class="cl"><span class="sd"> object.apiVersion + &#39;/&#39; + object.kind + &#39; is deprecated and will be removed in v1.29. </span></span></span><span class="line"><span class="ln"> 94</span><span class="cl"><span class="sd"> See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 95</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-v1-32-removals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 96</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 97</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 98</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 99</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">100</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/*/FlowSchema</span><span class="w"> </span></span></span><span class="line"><span class="ln">101</span><span class="cl"><span class="w"> </span>- <span class="l">flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration</span><span class="w"> </span></span></span><span class="line"><span class="ln">102</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">103</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.apiVersion&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">104</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.apiVersion in [&#39;flowcontrol.apiserver.k8s.io/v1beta3&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">105</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">106</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">107</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">108</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">109</span><span class="cl"><span class="w"> </span><span class="nt">messageExpression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">110</span><span class="cl"><span class="sd"> object.apiVersion + &#39;/&#39; + object.kind + &#39; is deprecated and will be removed in v1.32. </span></span></span><span class="line"><span class="ln">111</span><span class="cl"><span class="sd"> See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/check-env-vars/check-env-vars/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/check-env-vars/check-env-vars/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/check-env-vars/check-env-vars.yaml" target="-blank">/other/check-env-vars/check-env-vars.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-env-vars</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Environment Variables</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Environment variables control many aspects of a container&#39;s execution and are </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> often the source of many different configuration settings. Being able to ensure that </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the value of a specific environment variable either is or is not set to a specific string </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> is useful to maintain such controls. This policy checks every container to ensure that if the </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> `DISABLE_OPA` environment variable is defined, it must not be set to a value of `&#34;true&#34;`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-disable-opa</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;DISABLE_OPA must not be set to true.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">=(env)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="l">DISABLE_OPA</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!true&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/check-env-vars/check-env-vars/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/check-env-vars/check-env-vars/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/check-env-vars/check-env-vars.yaml" target="-blank">/other-cel/check-env-vars/check-env-vars.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-env-vars</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Environment Variables in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Environment variables control many aspects of a container&#39;s execution and are </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> often the source of many different configuration settings. Being able to ensure that </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the value of a specific environment variable either is or is not set to a specific string </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> is useful to maintain such controls. This policy checks every container to ensure that if the </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> `DISABLE_OPA` environment variable is defined, it must not be set to a value of `&#34;true&#34;`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-disable-opa</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>!<span class="l">object.spec.containers.exists(container, </span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="l">container.?env.orValue([]).exists(e, e.name == &#39;DISABLE_OPA&#39; &amp;&amp; e.value == &#39;true&#39;))</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;DISABLE_OPA must not be set to true.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/check-vpa-configuration/check-vpa-configuration/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/check-vpa-configuration/check-vpa-configuration/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/check-vpa-configuration/check-vpa-configuration.yaml" target="-blank">/other/check-vpa-configuration/check-vpa-configuration.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-vpa-configuration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check for matching VerticalPodAutoscaler (VPA)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, StatefulSet, ReplicaSet, DaemonSet, VerticalPodAutoscaler</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> It requires defining a specific target resource by kind and name. There are no built-in </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> validation checks by the VPA controller to ensure that the target resource is associated with it. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy ensures that the matching kind has a matching VPA. </span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-vpa-configuration</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">ReplicaSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">vpas</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/autoscaling.k8s.io/v1/namespaces/{{request.object.metadata.namespace}}/verticalpodautoscalers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?spec.targetRef.kind==&#39;{{ request.object.kind }}&#39;].spec.targetRef.name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> Workload &#39;{{request.object.kind}}/{{request.object.metadata.name}}&#39; </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> requires a matching VerticalPodAutoscaler (VPA) in the </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> &#39;{{request.object.metadata.namespace}}&#39; namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotIn </span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ vpas }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kasten-cel/k10-hourly-rpo/k10-hourly-rpo/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kasten-cel/k10-hourly-rpo/k10-hourly-rpo/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml" target="-blank">/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k10-policy-hourly-rpo</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Hourly RPO in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Kasten K10 by Veeam in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit </span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k10-policy-hourly-rpo</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">config.kio.kasten.io/v1alpha1/Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">appPriority</span><span class="p">:</span><span class="w"> </span><span class="l">Mission-Critical</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has(object.spec.frequency) &amp;&amp; object.spec.frequency == &#39;@hourly&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Mission Critical RPO frequency should use no shorter than @hourly frequency&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-base-image/require-base-image/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-base-image/require-base-image/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-base-image/require-base-image.yaml" target="-blank">/other/require-base-image/require-base-image.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-base-image</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Image Base</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Container images can be built from a variety of sources, including other preexisting </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> images. Ensuring images that are allowed to run are built from known, trusted </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> images where their provenance is guaranteed can be an important step in ensuring </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> overall cluster security. This policy ensures that any </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> container image specifies some base image in its metadata from four possible sources: </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> Docker BuildKit, OCI annotations (in manifest or config), or Buildpacks. Note that the </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> ability to detect the presence of a base image is not implicit and requires the author </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> to specify it using metadata or build directives of some sort (ex., Dockerfile FROM </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> statements do not automatically expose this information).</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-base-image</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Images must specify a source/base image from which they are built.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imageData</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mobysource</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">imageData.configData.&#34;moby.buildkit.buildinfo.v1&#34; | base64_decode(@).parse_json(@) | sources[?type == &#39;docker-image&#39;].ref | length(@)</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ocisourcelabels</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">imageData.configData.config.Labels | keys(@)</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ocisourceannotations</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">imageData.manifest.annotations.&#34;org.opencontainers.image.base.name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">buildpacks</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">parse_json(imageData.configData.config.Labels.&#34;io.buildpacks.lifecycle.metadata&#34;).runImage.reference || parse_json(imageData.configData.config.Labels.&#34;io.buildpacks.lifecycle.metadata&#34;).stack.runImage.image</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;org.opencontainers.image.base.name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ ocisourcelabels}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ ocisourceannotations}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ mobysource }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ buildpacks }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-3-2-1-backup/kasten-3-2-1-backup/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-3-2-1-backup/kasten-3-2-1-backup/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kasten/kasten-3-2-1-backup/kasten-3-2-1-backup.yaml" target="-blank">/kasten/kasten-3-2-1-backup/kasten-3-2-1-backup.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-3-2-1-backup-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Kasten 3-2-1 Backup Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Veeam Kasten</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24-1.30&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The 3-2-1 rule of data protection recommends that you have at least 3 copies of data, on 2 different storage targets, with 1 being offsite. This approach ensures a health mix of redundancy options for data recovery of the application for localized &amp; multi-region cloud failures or compromise. In Kubernetes, this translates to the original running resources, a local snapshot, and a copy of all application resources and volume data exported to an external repository. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy accomplishes 3-2-1 validation by ensuring each policy contains both &#39;action: backup&#39; and &#39;action: export&#39;.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit </span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-3-2-1-backup-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">config.kio.kasten.io/v1alpha1/Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The Kasten 3-2-1 policy requires both &#39;action: backup&#39; and &#39;action: export&#39; be defined in the Policy.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="l">backup</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="l">export</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.actions[].action }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-immutable-location-profile/kasten-immutable-location-profile/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-immutable-location-profile/kasten-immutable-location-profile/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kasten/kasten-immutable-location-profile/kasten-immutable-location-profile.yaml" target="-blank">/kasten/kasten-immutable-location-profile/kasten-immutable-location-profile.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-immutable-location-profile</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Kasten Location Profile is Immutable</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Veeam Kasten</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">config.kio.kasten.io/v1alpha1/Profile</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.25-1.30&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Ensure Kasten Location Profiles have enabled immutability to prevent unintentional or malicious changes to backup data.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-immutable-location-profile</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="l">Profile</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="sd"> All Kasten Location Profiles must have immutability enabled.</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">(type)</span><span class="p">:</span><span class="w"> </span><span class="l">Location</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">locationSpec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">objectStore</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">protectionPeriod</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-hourly-rpo/kasten-hourly-rpo/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-hourly-rpo/kasten-hourly-rpo/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kasten/kasten-hourly-rpo/kasten-hourly-rpo.yaml" target="-blank">/kasten/kasten-hourly-rpo/kasten-hourly-rpo.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-hourly-rpo</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Kasten Policy RPO based on Namespace Label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Veeam Kasten</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24-1.30&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Kasten Policy resources can be required to adhere to common Recovery Point Objective (RPO) best practices. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This example policy validates that the Policy is set to run hourly if it explicitly protects any namespaces containing the `appPriority=critical` label. This policy can be adapted to enforce any Kasten Policy requirements based on a namespace label.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce </span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-hourly-rpo</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">config.kio.kasten.io/v1alpha1/Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespacesWithPriorityLabel</span><span class="w"> </span><span class="c"># Get list of namespaces with appPriority=critical label</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces?labelSelector=appPriority%3Dcritical&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[].metadata.name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ length(namespacesWithPriorityLabel) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="c"># Only proceed if namespaces with appPriority=critical label exist</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Mission Critical RPO frequency should use no shorter than @hourly frequency&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.selector.matchExpressions[0].values&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span><span class="c"># Deny admission if the policy is not hourly AND any namespaces listed in the Policy contain the appPriority=critical label</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ namespacesWithPriorityLabel }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.frequency }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;@hourly&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/linkerd/check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/linkerd/check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//linkerd/check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy.yaml" target="-blank">/linkerd/check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-linkerd-authorizationpolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Linkerd AuthorizationPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Linkerd</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">AuthorizationPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.8.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> As of Linkerd 2.12, an AuthorizationPolicy is a resource used to selectively allow traffic </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> to either a Server or HTTPRoute resource. Creating AuthorizationPolicies is needed when </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> a Server exists in order to control what traffic is permitted within the mesh to the Pods </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> selected by the Server or HTTPRoute. This policy, requiring Linkerd 2.12+, checks incoming </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> AuthorizationPolicy resources to ensure that either a matching Server or HTTPRoute exists </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> first.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-server-exists</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">AuthorizationPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">servers</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/policy.linkerd.io/v1beta1/namespaces/{{request.namespace}}/servers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[].metadata.name || `[]`&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">httproutes</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/policy.linkerd.io/v1beta1/namespaces/{{request.namespace}}/httproutes&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[].metadata.name || `[]`&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Server or HTTPRoute not found for this AuthorizationPolicy.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.targetRef.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{servers}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.targetRef.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{httproutes}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/check-serviceaccount-secrets/check-serviceaccount-secrets/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/check-serviceaccount-secrets/check-serviceaccount-secrets/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml" target="-blank">/other/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-serviceaccount-secrets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Long-Lived Secrets in ServiceAccounts</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Secret,ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Before version 1.24, Kubernetes automatically generated Secret-based tokens </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> for ServiceAccounts. To distinguish between automatically generated tokens </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> and manually created ones, Kubernetes checks for a reference from the </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> ServiceAccount&#39;s secrets field. If the Secret is referenced in the secrets </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> field, it is considered an auto-generated legacy token. These legacy Tokens can </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> be of security concern and should be audited.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-secrets</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Long-lived API tokens are not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">X(secrets)</span><span class="p">:</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml" target="-blank">/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-serviceaccount-secrets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Long-Lived Secrets in ServiceAccounts in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Secret,ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Before version 1.24, Kubernetes automatically generated Secret-based tokens </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> for ServiceAccounts. To distinguish between automatically generated tokens </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> and manually created ones, Kubernetes checks for a reference from the </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> ServiceAccount&#39;s secrets field. If the Secret is referenced in the secrets </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> field, it is considered an auto-generated legacy token. These legacy Tokens can </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> be of security concern and should be audited.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-secrets</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!has(object.secrets)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Long-lived API tokens are not allowed.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml" target="-blank">/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-kernel</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Node for CVE-2022-0185</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy runs in background mode and flags an entry in the ClusterPolicyReport </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> if any Node is reporting one of the affected kernel versions.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kernel-validate</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Kernel is vulnerable to CVE-2022-0185.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.status.nodeInfo.kernelVersion}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;5.10.84-1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.status.nodeInfo.kernelVersion}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;5.15.5-2&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml" target="-blank">/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-kernel</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Node for CVE-2022-0185 in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy runs in background mode and flags an entry in the ClusterPolicyReport </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> if any Node is reporting one of the affected kernel versions.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kernel-validate</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!(object.status.nodeInfo.kernelVersion in [&#39;5.10.84-1&#39;, &#39;5.15.5-2&#39;])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Kernel is vulnerable to CVE-2022-0185.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/check-nvidia-gpu/check-nvidia-gpu/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/check-nvidia-gpu/check-nvidia-gpu/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/check-nvidia-gpu/check-nvidia-gpu.yaml" target="-blank">/other/check-nvidia-gpu/check-nvidia-gpu.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-nvidia-gpus</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check NVIDIA GPUs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Containers which request use of an NVIDIA GPU often need to </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> be authored to consume them via a CUDA environment variable called </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> NVIDIA_VISIBLE_DEVICES. This policy checks the containers which </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> request a GPU to ensure they have been authored with this environment </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> variable.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-nvidia-gpus</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Images which reserve NVIDIA GPUs must be built to use them.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imageData</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="c"># If a container image calls for an NVIDIA GPU in its resources.limits, it must also</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="c"># have been built with the CUDA environment variable `NVIDIA_VISIBLE_DEVICES`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;NVIDIA_VISIBLE_DEVICES=*?&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ imageData.configData.config.Env || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.resources.limits.\&#34;nvidia.com/gpu\&#34; || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/pdb-minavailable/pdb-minavailable/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/pdb-minavailable/pdb-minavailable/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/pdb-minavailable/pdb-minavailable.yaml" target="-blank">/other/pdb-minavailable/pdb-minavailable.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pdb-minavailable-check</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check PodDisruptionBudget minAvailable</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PodDisruptionBudget, Deployment, StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> When a Pod controller which can run multiple replicas is subject to an active PodDisruptionBudget, </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> if the replicas field has a value equal to the minAvailable value of the PodDisruptionBudget </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> it may prevent voluntary disruptions including Node drains which may impact routine maintenance </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> tasks and disrupt operations. This policy checks incoming Deployments and StatefulSets which have </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> a matching PodDisruptionBudget to ensure these two values do not match.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pdb-minavailable</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.replicas || `1` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">minavailable</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/policy/v1/namespaces/{{request.namespace}}/poddisruptionbudgets&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?label_match(spec.selector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | [0] | spec.minAvailable || `0`&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> The matching PodDisruptionBudget for this resource has its minAvailable value equal to the replica count </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> which is not permitted.</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.replicas }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ minavailable }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/check-serviceaccount/check-serviceaccount/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/check-serviceaccount/check-serviceaccount/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/check-serviceaccount/check-serviceaccount.yaml" target="-blank">/other/check-serviceaccount/check-serviceaccount.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-sa</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.21&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> ServiceAccounts with privileges to create Pods may be able to do so and name </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> a ServiceAccount other than the one used to create it. This policy checks the </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Pod, if created by a ServiceAccount, and ensures the `serviceAccountName` field </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> matches the actual ServiceAccount.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-sa</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{serviceAccountName}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*?&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The ServiceAccount used to create this Pod is confined to using the same account when running the Pod.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">serviceAccountName</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{serviceAccountName}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/check-subjectaccessreview/check-subjectaccessreview/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/check-subjectaccessreview/check-subjectaccessreview/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/check-subjectaccessreview/check-subjectaccessreview.yaml" target="-blank">/other/check-subjectaccessreview/check-subjectaccessreview.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-subjectaccessreview</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check SubjectAccessReview</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">SubjectAccessReview</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> In some cases a validation check for one type of resource may need to </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> take into consideration the requesting user&#39;s permissions on a different type of resource. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Rather than parsing through all Roles and/or ClusterRoles to check if these permissions </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> and have it figure out those permissions. This policy illustrates how to perform a POST </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> request to the API server to subject a SubjectAccessReview for a user creating/updating a </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> ConfigMap. It is intended to be used as a component in a more functional rule.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-sar</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">subjectaccessreview</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="l">/apis/authorization.k8s.io/v1/subjectaccessreviews</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l">POST</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">kind</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">SubjectAccessReview</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">apiVersion</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">authorization.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">spec</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">resourceAttributes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">resource</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;namespaces&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.namespace }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">verb</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;delete&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">user</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.userInfo.username }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;User is not authorized.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ subjectaccessreview.status.allowed }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psp-migration/check-supplemental-groups/check-supplemental-groups/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psp-migration/check-supplemental-groups/check-supplemental-groups/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psp-migration/check-supplemental-groups/check-supplemental-groups.yaml" target="-blank">/psp-migration/check-supplemental-groups/check-supplemental-groups.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">psp-check-supplemental-groups</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check supplementalGroups</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">PSP Migration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Supplemental groups control which group IDs containers add and can coincide with </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> restricted groups on the host. Pod Security Policies (PSP) allowed a range of </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> these group IDs to be specified which were allowed. This policy ensures any Pod </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> may only specify supplementalGroup IDs between 100-200 or 500-600.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">supplementalgroup-ranges</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Any supplementalGroup ID must be within the range 100-200 or 500-600.</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">=(supplementalGroups)</span><span class="p">:</span><span class="w"> </span><span class="m">100-200</span><span class="w"> </span><span class="l">| 500-600</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psp-migration-cel/check-supplemental-groups/check-supplemental-groups/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psp-migration-cel/check-supplemental-groups/check-supplemental-groups/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml" target="-blank">/psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">psp-check-supplemental-groups</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check supplementalGroups in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">PSP Migration in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Supplemental groups control which group IDs containers add and can coincide with </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> restricted groups on the host. Pod Security Policies (PSP) allowed a range of </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> these group IDs to be specified which were allowed. This policy ensures any Pod </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> may only specify supplementalGroup IDs between 100-200 or 500-600.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">supplementalgroup-ranges</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> object.spec.?securityContext.?supplementalGroups.orValue([]).all(supplementalGroup, (supplementalGroup &gt;= 100 &amp;&amp; supplementalGroup &lt;= 200) || (supplementalGroup &gt;= 500 &amp;&amp; supplementalGroup &lt;= 600))</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Any supplementalGroup ID must be within the range 100-200 or 500-600.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/tekton/verify-tekton-taskrun-vuln-scan/verify-tekton-taskrun-vuln-scan/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/tekton/verify-tekton-taskrun-vuln-scan/verify-tekton-taskrun-vuln-scan/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//tekton/verify-tekton-taskrun-vuln-scan/verify-tekton-taskrun-vuln-scan.yaml" target="-blank">/tekton/verify-tekton-taskrun-vuln-scan/verify-tekton-taskrun-vuln-scan.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-tekton-taskrun-vuln-scan</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Check Tekton TaskRun Vulnerability Scan</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Tekton</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">TaskRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> A signed bundle is required and a vulnerability scan made by Grype must </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> return no vulnerabilities greater than 8.0.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">webhookTimeoutSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-signature</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">tekton.dev/v1beta1/TaskRun.status </span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">imageExtractors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">TaskRun</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;taskrunstatus&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/status/taskSpec/steps/*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;image&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">verifyImages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">imageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">attestations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">predicateType</span><span class="p">:</span><span class="w"> </span><span class="l">https://grype.anchore.io/scan</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">publicKeys</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> -----BEGIN PUBLIC KEY----- </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEahmSvGFmxMJABilV1usgsw6ImcQ/ </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> gDaxw57Sq+uNGHW8Q3zUSx46PuRqdTI+4qE3Ng2oFZgLMpFN/qMrP0MQQg== </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> -----END PUBLIC KEY----- </span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ matches[].vulnerability[].cvss[?metrics.impactScore &gt; &#39;8.0&#39;][] | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ source.target.userInput }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ghcr.io/tap8stry/git-init:v0.21.0@sha256:322e3502c1e6fba5f1869efb55cfd998a3679e073840d33eb0e3c482b5d5609b&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/cleanup/cleanup-bare-pods/cleanup-bare-pods/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/cleanup/cleanup-bare-pods/cleanup-bare-pods/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//cleanup/cleanup-bare-pods/cleanup-bare-pods.yaml" target="-blank">/cleanup/cleanup-bare-pods/cleanup-bare-pods.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterCleanupPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">clean-bare-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Cleanup Bare Pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> A bare Pod is any Pod created directly and not owned by a controller such as a </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> Deployment or Job. Bare Pods are often create manually by users in an attempt to troubleshoot </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> an issue. If left in the cluster, they create clutter, increase cost, and can be a security </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> risk. Bare Pods can be cleaned up periodically through use of a policy. This policy finds </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> and removes all bare Pods across the cluster.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ target.metadata.ownerReferences[] || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*/5 * * * *&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/cleanup/cleanup-empty-replicasets/cleanup-empty-replicasets/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/cleanup/cleanup-empty-replicasets/cleanup-empty-replicasets/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//cleanup/cleanup-empty-replicasets/cleanup-empty-replicasets.yaml" target="-blank">/cleanup/cleanup-empty-replicasets/cleanup-empty-replicasets.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="c">#The described logic currently deletes the ReplicaSets created 30 seconds ago. You can adjust this timeframe according to your specific requirements.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterCleanupPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cleanup-empty-replicasets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Cleanup Empty ReplicaSets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ReplicaSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> ReplicaSets serve as an intermediate controller for various Pod controllers like Deployments. When a new version of a Deployment is initiated, it generates a new ReplicaSet with the specified number of replicas and scales down the current one to zero. Consequently, numerous empty ReplicaSets may accumulate in the cluster, leading to clutter and potential false positives in policy reports if enabled. This cleanup policy is designed to remove empty ReplicaSets across the cluster within a specified timeframe, for instance, ReplicaSets created one day ago, ensuring the ability to rollback to previous ReplicaSets in case of deployment issues</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="l">ReplicaSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ target.spec.replicas }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ time_diff(&#39;{{target.metadata.creationTimestamp}}&#39;,&#39;{{ time_now_utc() }}&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0h0m30s&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*/1 * * * *&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/get-debug-information/get-debug-information/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/get-debug-information/get-debug-information/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/get-debug-information/get-debug-information.yaml" target="-blank">/other/get-debug-information/get-debug-information.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">get-debug-data-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Collect Debug Information for Pods in CrashLoopBackOff</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.5</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy generates a job which gathers troubleshooting data (including logs, kubectl describe output and events from the namespace) from pods that are in CrashLoopBackOff and have 3 restarts. This data can further be used to automatically create a Jira issue using some kind of automation or another Kyverno policy. For more information on the image used in this policy in addition to the necessary RBAC resources required in order for this policy to operate, see the documentation at https://github.com/nirmata/SRE-Operational-Usecases/tree/main/get-troubleshooting-data/get-debug-data. </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">get-debug-data-policy-rule</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="l">v1/Pod.status</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pdcount</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{request.namespace}}/pods?labelSelector=requestpdname=pod-{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items | length(@)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ sum(request.object.status.containerStatuses[*].restartCount || `0`) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">3</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.labels.deleteme || &#39;empty&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;empty&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ pdcount }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">batch/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">get-debug-data-{{request.object.metadata.name}}-{{ random(&#39;[0-9a-z]{8}&#39;) }}</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">deleteme</span><span class="p">:</span><span class="w"> </span><span class="l">allow</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">my-app</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">deleteme</span><span class="p">:</span><span class="w"> </span><span class="l">allow</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">requestpdname</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;pod-{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">restartPolicy</span><span class="p">:</span><span class="w"> </span><span class="l">OnFailure</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-container</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">sagarkundral/my-python-app:v52</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span>- <span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="m">8080</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">volumeMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l">/var/run/secrets/kubernetes.io/serviceaccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">token</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">readOnly</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">args</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;/app/get-debug-jira-v2.sh&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{request.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">serviceAccount</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span><span class="c"># This serviceaccount needs the necessary RBAC in order for the policy to operate. </span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">token</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">projected</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">defaultMode</span><span class="p">:</span><span class="w"> </span><span class="m">420</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">sources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span>- <span class="nt">serviceAccountToken</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span><span class="nt">expirationSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">3607</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">token</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span>- <span class="nt">configMap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span><span class="nt">items</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">ca.crt</span><span class="w"> </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">ca.crt</span><span class="w"> </span></span></span><span class="line"><span class="ln">83</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kube-root-ca.crt</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/concatenate-configmaps/concatenate-configmaps/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/concatenate-configmaps/concatenate-configmaps/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/concatenate-configmaps/concatenate-configmaps.yaml" target="-blank">/other/concatenate-configmaps/concatenate-configmaps.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">concatenate-configmaps</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Concatenate ConfigMaps</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In some cases, an update to an existing resource should have downstream effects </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> on a different resource in another Namespace. Rather than overwriting the target, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the current state of the source can be concatenated to the target. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy, triggered by an update to a source ConfigMap, concatenates </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> that value of a target ConfigMap in a different Namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">mutateExistingOnPolicyUpdate</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">concat-cm</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">cmone</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">foo</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cmtwo</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">bar</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">keytwo</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ @ }} plus {{request.object.data.keyone}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/copy-namespace-labels/copy-namespace-labels/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/copy-namespace-labels/copy-namespace-labels/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/copy-namespace-labels/copy-namespace-labels.yaml" target="-blank">/other/copy-namespace-labels/copy-namespace-labels.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">copy-namespace-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Copy Namespace Labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, Label, Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> It is common for Namespaced resources to need access to labels which have been assigned </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> to the Namespace in which they reside. This policy demonstrates two different ways of </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> assigning Namespace labels to a Deployment. The first method copies only the `owner` label </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> while the second copies all labels except for `kubernetes.io/metadata.name`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">owner-label-deployment-from-ns</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">owner</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{ request.object.metadata.namespace }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">metadata.labels.owner || &#39;empty&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">owner</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ owner }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">all-label-deployment-from-ns</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">alllabels</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{ request.object.metadata.namespace }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">metadata.labels | merge(@, {&#34;kubernetes.io/metadata.name&#34;:null})</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="s2">&#34;{{ alllabels }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/cordon-and-drain-node/cordon-and-drain-node/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/cordon-and-drain-node/cordon-and-drain-node/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/cordon-and-drain-node/cordon-and-drain-node.yaml" target="-blank">/other/cordon-and-drain-node/cordon-and-drain-node.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cordon-and-drain-node</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Cordon and Drain Node</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> There are cases where either an operations or security incident may occur and Nodes </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> should be evacuated and placed in an unused state for further analysis. For example, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> a Node is found to be running a vulnerable version of a CRI engine or kernel and to </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> minimize chances of a compromise may need to be decommissioned so another can be built. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy shows how to use Kyverno to both cordon and drain a given Node and uses a </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> hypothetical label being written to it called `testing=drain` to illustrate the point. </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> For production use, the match block should be modified to trigger on the appropriate </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> condition.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mutate-node</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">testing</span><span class="p">:</span><span class="w"> </span><span class="l">drain</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">unschedulable</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">taints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">effect</span><span class="p">:</span><span class="w"> </span><span class="l">NoExecute</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno-evicted</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">timeAdded</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ time_now_utc() }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio/create-authorizationpolicy/create-authorizationpolicy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio/create-authorizationpolicy/create-authorizationpolicy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio/create-authorizationpolicy/create-authorizationpolicy.yaml" target="-blank">/istio/create-authorizationpolicy/create-authorizationpolicy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">create-authorizationpolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Create Istio Deny AuthorizationPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">AuthorizationPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> An AuthorizationPolicy enables access controls on workloads in the mesh. It supports per-Namespace controls </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> which can be a union of different behaviors. This policy creates a default deny AuthorizationPolicy </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> for all new Namespaces. Further AuthorizationPolicies should be created to more granularly allow </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> traffic as permitted. Use of this policy will likely require granting the Kyverno ServiceAccount </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> additional privileges required to generate AuthorizationPolicy resources.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">generate-deny-authorizationpolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">security.istio.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">AuthorizationPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-deny</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml" target="-blank">/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-commands-in-exec-probe</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Deny Commands in Exec Probe</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.1.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Developers may feel compelled to use simple shell commands as a workaround to </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> creating &#34;proper&#34; liveness or readiness probes for a Pod. Such a practice can be discouraged </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> via detection of those commands. This policy prevents the use of certain commands </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> `jcmd`, `ps`, or `ls` if found in a Pod&#39;s liveness exec probe.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-commands</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ length(request.object.spec.containers[].livenessProbe.exec.command[] || `[]`) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes.</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match(&#39;\\bjcmd\\b&#39;,@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match(&#39;\\bps\\b&#39;,@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match(&#39;\\bls\\b&#39;,@) }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml" target="-blank">/other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-commands-in-exec-probe</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Deny Commands in Exec Probe in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Developers may feel compelled to use simple shell commands as a workaround to </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> creating &#34;proper&#34; liveness or readiness probes for a Pod. Such a practice can be discouraged </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> via detection of those commands. This policy prevents the use of certain commands </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> `jcmd`, `ps`, or `ls` if found in a Pod&#39;s liveness exec probe.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-commands</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;check-liveness-probes-commands-exist&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.containers.exists(container, size(container.?livenessProbe.?exec.?command.orValue([])) &gt; 0)</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> object.spec.containers.all(container, </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> !container.?livenessProbe.?exec.?command.orValue([]).exists(command, </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> command.matches(&#39;\\bjcmd\\b&#39;) || command.matches(&#39;\\bps\\b&#39;) || command.matches(&#39;\\bls\\b&#39;)))</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/resource-creation-updating-denied/resource-creation-updating-denied/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/resource-creation-updating-denied/resource-creation-updating-denied/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/resource-creation-updating-denied/resource-creation-updating-denied.yaml" target="-blank">/other/resource-creation-updating-denied/resource-creation-updating-denied.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">resource-creation-updating-denied</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Deny Creation and Updating of Resources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy denies the creation and updating of resources specifically for Deployment </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> and Pod kinds during a specified time window. The policy is designed to enhance control </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> over resource modifications during critical periods, ensuring stability and consistency </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> within the Kubernetes environment.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-creation-updating-of-resources</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ time_now_utc().time_to_cron(@).split(@,&#39;&#39; &#39;&#39;) | [1].to_number(@) }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">8-10</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Creating and updating resources is not allowed at this time.</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{request.operation}}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psa/deny-privileged-profile/deny-privileged-profile/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psa/deny-privileged-profile/deny-privileged-profile/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psa/deny-privileged-profile/deny-privileged-profile.yaml" target="-blank">/psa/deny-privileged-profile/deny-privileged-profile.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-privileged-profile</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Deny Privileged Profile</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Admission</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> When Pod Security Admission (PSA) is enforced at the cluster level </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> via an AdmissionConfiguration file which defines a default level at </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> baseline or restricted, setting of a label at the `privileged` profile </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> will effectively cause unrestricted workloads in that Namespace, overriding </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> the cluster default. This may effectively represent a circumvention attempt </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> and should be closely controlled. This policy ensures that only those holding </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> the cluster-admin ClusterRole may create Namespaces which assign the label </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> `pod-security.kubernetes.io/enforce=privileged`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-privileged</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/enforce</span><span class="p">:</span><span class="w"> </span><span class="l">privileged</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">clusterRoles</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="l">cluster-admin</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Only cluster-admins may create Namespaces that allow setting the privileged level.</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psa-cel/deny-privileged-profile/deny-privileged-profile/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psa-cel/deny-privileged-profile/deny-privileged-profile/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psa-cel/deny-privileged-profile/deny-privileged-profile.yaml" target="-blank">/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-privileged-profile</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Deny Privileged Profile in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Admission in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> When Pod Security Admission (PSA) is enforced at the cluster level </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> via an AdmissionConfiguration file which defines a default level at </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> baseline or restricted, setting of a label at the `privileged` profile </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> will effectively cause unrestricted workloads in that Namespace, overriding </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> the cluster default. This may effectively represent a circumvention attempt </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> and should be closely controlled. This policy ensures that only those holding </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> the cluster-admin ClusterRole may create Namespaces which assign the label </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> `pod-security.kubernetes.io/enforce=privileged`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-privileged</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/enforce</span><span class="p">:</span><span class="w"> </span><span class="l">privileged</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">clusterRoles</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="l">cluster-admin</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Only cluster-admins may create Namespaces that allow setting the privileged level.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml" target="-blank">/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-secret-service-account-token-type</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Deny Secret Service Account Token Type</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Secret, ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Before version 1.24, Kubernetes automatically generated Secret-based tokens </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> for ServiceAccounts. When creating a Secret, you can specify its type using the </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> type field of the Secret resource . The type kubernetes.io/service-account-token </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> is used for legacy ServiceAccount tokens . These legacy Tokens can </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> be of security concern and should be audited.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-secret-service-account-token-type</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Secret ServiceAccount token type is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!kubernetes.io/service-account-token&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml" target="-blank">/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-secret-service-account-token-type</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Deny Secret Service Account Token Type in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Secret, ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Before version 1.24, Kubernetes automatically generated Secret-based tokens </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> for ServiceAccounts. When creating a Secret, you can specify its type using the </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> type field of the Secret resource . The type kubernetes.io/service-account-token </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> is used for legacy ServiceAccount tokens . These legacy Tokens can </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> be of security concern and should be audited.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-secret-service-account-token-type</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.type != &#39;kubernetes.io/service-account-token&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Secret ServiceAccount token type is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/disable-automountserviceaccounttoken/disable-automountserviceaccounttoken/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/disable-automountserviceaccounttoken/disable-automountserviceaccounttoken/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/disable-automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml" target="-blank">/other/disable-automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disable-automountserviceaccounttoken</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disable automountServiceAccountToken</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.21&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> A new ServiceAccount called `default` is created whenever a new Namespace is created. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy mutates any new `default` ServiceAccounts to disable auto-mounting of the token </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> into Pods obviating the need to do so individually.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disable-automountserviceaccounttoken</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">automountServiceAccountToken</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/disable-service-discovery/disable-service-discovery/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/disable-service-discovery/disable-service-discovery/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/disable-service-discovery/disable-service-discovery.yaml" target="-blank">/other/disable-service-discovery/disable-service-discovery.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disable-service-discovery</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disable Service Discovery</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span>-<span class="l">rc2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Not all Pods require communicating with other Pods or resolving in-cluster Services. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> For those, disabling service discovery can increase security as the Pods are limited </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to what they can see. This policy mutates Pods to set dnsPolicy to `Default` and </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> enableServiceLinks to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">example-configmap-lookup</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">dnsPolicy</span><span class="p">:</span><span class="w"> </span><span class="l">Default</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">enableServiceLinks</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/disallow-all-secrets/disallow-all-secrets/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/disallow-all-secrets/disallow-all-secrets/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/disallow-all-secrets/disallow-all-secrets.yaml" target="-blank">/other/disallow-all-secrets/disallow-all-secrets.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span>-<span class="l">secrets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow all Secrets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.21&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Secrets often contain sensitive information which not all Pods need consume. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy disables the use of all Secrets in a Pod definition. In order to work effectively, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secrets-not-from-env</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;No Secrets from env.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">=(env)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">=(valueFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">X(secretKeyRef)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">=(env)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">=(valueFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">X(secretKeyRef)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">=(env)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">=(valueFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">X(secretKeyRef)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secrets-not-from-envfrom</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;No Secrets from envFrom.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">=(envFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span>- <span class="nt">X(secretRef)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">=(envFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">X(secretRef)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">=(envFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span>- <span class="nt">X(secretRef)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secrets-not-from-volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;No Secrets from volumes.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">=(volumes)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span>- <span class="nt">X(secret)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/disallow-all-secrets/disallow-all-secrets/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/disallow-all-secrets/disallow-all-secrets/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/disallow-all-secrets/disallow-all-secrets.yaml" target="-blank">/other-cel/disallow-all-secrets/disallow-all-secrets.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span>-<span class="l">secrets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow all Secrets in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Secrets often contain sensitive information which not all Pods need consume. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy disables the use of all Secrets in a Pod definition. In order to work effectively, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secrets-not-from-env-envFrom-and-volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> container.?env.orValue([]).all(env, env.?valueFrom.?secretKeyRef.orValue(true)))</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;No Secrets from env.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> container.?envFrom.orValue([]).all(envFrom, !has(envFrom.secretRef)))</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;No Secrets from envFrom.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?volumes.orValue([]).all(volume, !has(volume.secret))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;No Secrets from volumes.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml" target="-blank">/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-self-provisioner-binding</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow binding to self-provisioner cluster role in OpenShift</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">OpenShift</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.20&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRoleBinding, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-self-provisioner-binding-no-subject</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">self-provisioners</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> Modifying the self-provisioners ClusterRoleBinding is not allowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-self-provisioner-binding-with-subject</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name || &#39;&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">self-provisioners</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="sd"> Binding to the self-provisioners cluster role is not allowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">self-provisioner</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.roleRef.name}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-capabilities/disallow-capabilities/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-capabilities/disallow-capabilities/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml" target="-blank">/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Adding capabilities beyond those listed in the policy must be disallowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">adding-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> are disallowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">AUDIT_WRITE</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">CHOWN</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">DAC_OVERRIDE</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">FOWNER</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">FSETID</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="l">KILL</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="l">MKNOD</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="l">NET_BIND_SERVICE</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">SETFCAP</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="l">SETGID</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="l">SETPCAP</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="l">SETUID</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="l">SYS_CHROOT</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml" target="-blank">/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-capabilities-strict</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Capabilities (Strict)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> all containers must explicitly drop `ALL` capabilities.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-drop-all</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> Containers must drop `ALL` capabilities.</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.[ephemeralContainers, initContainers, containers][]</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">ALL</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.securityContext.capabilities.drop[] || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">adding-capabilities-strict</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="sd"> Any capabilities added other than NET_BIND_SERVICE are disallowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.[ephemeralContainers, initContainers, containers][]</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.securityContext.capabilities.add[] || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span>- <span class="l">NET_BIND_SERVICE</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span>- <span class="s1">&#39;&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml" target="-blank">/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-capabilities-strict</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Capabilities (Strict) in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> all containers must explicitly drop `ALL` capabilities.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-drop-all</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> Containers must drop `ALL` capabilities.</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> (has(object.spec.containers) ? object.spec.containers : []) + </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> (has(object.spec.initContainers) ? object.spec.initContainers : []) + </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : [])</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> has(container.securityContext) &amp;&amp; </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> has(container.securityContext.capabilities) &amp;&amp; </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> has(container.securityContext.capabilities.drop) &amp;&amp; </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> container.securityContext.capabilities.drop.exists_one(capability, capability == &#39;ALL&#39;) </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> )</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">adding-capabilities-strict</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="sd"> (has(object.spec.containers) ? object.spec.containers : []) + </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="sd"> (has(object.spec.initContainers) ? object.spec.initContainers : []) + </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="sd"> (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : [])</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="sd"> !has(container.securityContext) || </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="sd"> !has(container.securityContext.capabilities) || </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="sd"> !has(container.securityContext.capabilities.add) || </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="sd"> ( </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="sd"> size(container.securityContext.capabilities.add) == 1 &amp;&amp; </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="sd"> container.securityContext.capabilities.add[0] == &#39;NET_BIND_SERVICE&#39; </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="sd"> ) </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="sd"> )</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="sd"> Any capabilities added other than NET_BIND_SERVICE are disallowed.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/restricted/disallow-capabilities-strict/disallow-capabilities-strict/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/restricted/disallow-capabilities-strict/disallow-capabilities-strict/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml" target="-blank">/pod-security-vpol/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-capabilities-strict</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Capabilities (Strict) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> all containers must explicitly drop `ALL` capabilities.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> (object.spec.?initContainers.orValue([])) + </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> (object.spec.?ephemeralContainers.orValue([]))</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> container.?securityContext.?capabilities.?drop.orValue([]).exists_one(capability, capability == &#39;ALL&#39;))</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> Containers must drop `ALL` capabilities.</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> container.?securityContext.?capabilities.?add.orValue([]).size() == 0 || </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> (container.securityContext.capabilities.add.orValue([]).size() == 1 &amp;&amp; </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> container.securityContext.capabilities.add[0] == &#39;NET_BIND_SERVICE&#39;))</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> Any capabilities added other than NET_BIND_SERVICE are disallowed.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml" target="-blank">/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Capabilities in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Adding capabilities beyond those listed in the policy must be disallowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">adding-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowedCapabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;AUDIT_WRITE&#39;,&#39;CHOWN&#39;,&#39;DAC_OVERRIDE&#39;,&#39;FOWNER&#39;,&#39;FSETID&#39;,&#39;KILL&#39;,&#39;MKNOD&#39;,&#39;NET_BIND_SERVICE&#39;,&#39;SETFCAP&#39;,&#39;SETGID&#39;,&#39;SETPCAP&#39;,&#39;SETUID&#39;,&#39;SYS_CHROOT&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> container.?securityContext.?capabilities.?add.orValue([]).all(capability, capability == &#39;&#39; || </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> capability in variables.allowedCapabilities))</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> are disallowed.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-capabilities/disallow-capabilities/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-capabilities/disallow-capabilities/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/baseline/disallow-capabilities/disallow-capabilities.yaml" target="-blank">/pod-security-vpol/baseline/disallow-capabilities/disallow-capabilities.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Capabilities in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Adding capabilities beyond those listed in the policy must be disallowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowedCapabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> [&#39;AUDIT_WRITE&#39;,&#39;CHOWN&#39;,&#39;DAC_OVERRIDE&#39;,&#39;FOWNER&#39;,&#39;FSETID&#39;,&#39;KILL&#39;,&#39;MKNOD&#39;,&#39;NET_BIND_SERVICE&#39;,&#39;SETFCAP&#39;,&#39;SETGID&#39;,&#39;SETPCAP&#39;,&#39;SETUID&#39;,&#39;SYS_CHROOT&#39;]</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> (object.spec.containers + </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([]))</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> container.?securityContext.?capabilities.?add.orValue([]).all(capability, capability == &#39;&#39; || </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> capability in variables.allowedCapabilities))</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> are disallowed.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml" target="-blank">/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-container-sock-mounts</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow CRI socket mounts</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Container daemon socket bind mounts allows access to the container engine on the </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> node. This access can be used for privilege escalation and to manage containers </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> outside of Kubernetes, and hence should not be allowed. This policy validates that </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> to or replacement of this policy, preventing users from mounting the parent directories </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> (/var/run and /var) may be necessary to completely prevent socket bind mounts.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-docker-sock-mount</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of the Docker Unix socket is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">=(volumes)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">=(hostPath)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!/var/run/docker.sock&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-containerd-sock-mount</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of the Containerd Unix socket is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">=(volumes)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">=(hostPath)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!/var/run/containerd/containerd.sock&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-crio-sock-mount</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of the CRI-O Unix socket is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">=(volumes)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span>- <span class="nt">=(hostPath)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!/var/run/crio/crio.sock&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-dockerd-sock-mount</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of the Docker CRI socket is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">=(volumes)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span>- <span class="nt">=(hostPath)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!/var/run/cri-dockerd.sock&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml" target="-blank">/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-container-sock-mounts</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow CRI socket mounts in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Container daemon socket bind mounts allows access to the container engine on the </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> node. This access can be used for privilege escalation and to manage containers </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> outside of Kubernetes, and hence should not be allowed. This policy validates that </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> to or replacement of this policy, preventing users from mounting the parent directories </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> (/var/run and /var) may be necessary to completely prevent socket bind mounts.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-socket-mounts</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hasVolumes</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!has(object.spec.volumes)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.volumes&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">volumesWithHostPath</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.volumes.filter(volume, has(volume.hostPath))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> variables.hasVolumes || </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches(&#39;/var/run/docker.sock&#39;))</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of the Docker Unix socket is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> variables.hasVolumes || </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="sd"> variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches(&#39;/var/run/containerd/containerd.sock&#39;))</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of the Containerd Unix socket is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="sd"> variables.hasVolumes || </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="sd"> variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches(&#39;/var/run/crio/crio.sock&#39;))</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of the CRI-O Unix socket is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="sd"> variables.hasVolumes || </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="sd"> variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches(&#39;/var/run/cri-dockerd.sock&#39;))</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of the Docker CRI socket is not allowed.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml" target="-blank">/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-ingress-nginx-custom-snippets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Custom Snippets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security, NGINX Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap, Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.6.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.6.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Users that can create or update ingress objects can use the custom snippets </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> feature to obtain all secrets in the cluster (CVE-2021-25742). This policy </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> disables allow-snippet-annotations in the ingress-nginx configuration and </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> blocks *-snippet annotations on an Ingress. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> See: https://github.com/kubernetes/ingress-nginx/issues/7837</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-config-map</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">ConfigMap </span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ingress-nginx allow-snippet-annotations must be set to false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">=(data)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">=(allow-snippet-annotations) </span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-ingress-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="l">networking.k8s.io/v1/Ingress </span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ingress-nginx custom snippets are not allowed&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">=(annotations)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">X(*-snippet)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml" target="-blank">/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-ingress-nginx-custom-snippets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Custom Snippets in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security, NGINX Ingress in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap, Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.11.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.11.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Users that can create or update ingress objects can use the custom snippets </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> feature to obtain all secrets in the cluster (CVE-2021-25742). This policy </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> disables allow-snippet-annotations in the ingress-nginx configuration and </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> blocks *-snippet annotations on an Ingress. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> See: https://github.com/kubernetes/ingress-nginx/issues/7837</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-config-map</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE </span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.?data[?&#39;allow-snippet-annotations&#39;].orValue(&#39;false&#39;) == &#39;false&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ingress-nginx allow-snippet-annotations must be set to false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-ingress-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="l">networking.k8s.io/v1/Ingress </span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE </span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!object.metadata.?annotations.orValue([]).exists(annotation, annotation.endsWith(&#39;-snippet&#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ingress-nginx custom snippets are not allowed&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/disallow-default-namespace/disallow-default-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/disallow-default-namespace/disallow-default-namespace/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/disallow-default-namespace/disallow-default-namespace.yaml" target="-blank">/best-practices/disallow-default-namespace/disallow-default-namespace.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-default-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Default Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Multi-Tenancy</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Kubernetes Namespaces are an optional feature that provide a way to segment and </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> isolate cluster resources across multiple applications and users. As a best </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> practice, workloads should be isolated with Namespaces. Namespaces should be required </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> and the default (empty) Namespace should not be used. This policy validates that Pods </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> specify a Namespace name other than `default`. Rule auto-generation is disabled here </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> due to Pod controllers need to specify the `namespace` field under the top-level `metadata` </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> object and not at the Pod template level.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Using &#39;default&#39; namespace is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!default&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-podcontroller-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Using &#39;default&#39; namespace is not allowed for pod controllers.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!default&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/disallow-default-namespace/disallow-default-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/disallow-default-namespace/disallow-default-namespace/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml" target="-blank">/best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-default-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Default Namespace in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Multi-Tenancy in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Kubernetes Namespaces are an optional feature that provide a way to segment and </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> isolate cluster resources across multiple applications and users. As a best </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> practice, workloads should be isolated with Namespaces. Namespaces should be required </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> and the default (empty) Namespace should not be used. This policy validates that Pods </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> specify a Namespace name other than `default`. Rule auto-generation is disabled here </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> due to Pod controllers need to specify the `namespace` field under the top-level `metadata` </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> object and not at the Pod template level.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;namespaceObject.metadata.name != &#39;default&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Using &#39;default&#39; namespace is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-podcontroller-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;namespaceObject.metadata.name != &#39;default&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Using &#39;default&#39; namespace is not allowed for pod controllers.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//traefik/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml" target="-blank">/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-default-tlsoptions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Default TLSOptions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Traefik</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">TLSOption</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.21&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> The TLSOption CustomResource sets cluster-wide TLS configuration options for Traefik when </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> none are specified in a TLS router. Since this can take effect for all Ingress resources, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> creating the `default` TLSOption is a restricted operation. This policy ensures that </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> only a cluster-admin can create the `default` TLSOption resource.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-default-tlsoptions</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">TLSOption</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">clusterRoles</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">cluster-admin</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Only cluster administrators are allowed to set default TLSOptions.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml" target="-blank">/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-default-tlsoptions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Default TLSOptions in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Traefik in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">TLSOption</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> The TLSOption CustomResource sets cluster-wide TLS configuration options for Traefik when </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> none are specified in a TLS router. Since this can take effect for all Ingress resources, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> creating the `default` TLSOption is a restricted operation. This policy ensures that </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> only a cluster-admin can create the `default` TLSOption resource.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-default-tlsoptions</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">TLSOption</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">clusterRoles</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">cluster-admin</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Only cluster administrators are allowed to set default TLSOptions.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift/disallow-deprecated-apis/disallow-deprecated-apis/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift/disallow-deprecated-apis/disallow-deprecated-apis/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift/disallow-deprecated-apis/disallow-deprecated-apis.yaml" target="-blank">/openshift/disallow-deprecated-apis/disallow-deprecated-apis.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-deprecated-apis</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow deprecated APIs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">OpenShift</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.20&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> OpenShift APIs are sometimes deprecated and removed after a few releases. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> As a best practice, older API versions should be replaced with newer versions. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy validates for APIs that are deprecated or scheduled for removal. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> Note that checking for some of these resources may require modifying the Kyverno </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> ConfigMap to remove filters. </span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-deprecated-apis</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">authorization.openshift.io/v1/ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">authorization.openshift.io/v1/ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">authorization.openshift.io/v1/Role</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">authorization.openshift.io/v1/RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated.</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml" target="-blank">/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-deprecated-apis</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow deprecated APIs in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">OpenShift in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> OpenShift APIs are sometimes deprecated and removed after a few releases. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> As a best practice, older API versions should be replaced with newer versions. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy validates for APIs that are deprecated or scheduled for removal. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> Note that checking for some of these resources may require modifying the Kyverno </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> ConfigMap to remove filters. </span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-deprecated-apis</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">authorization.openshift.io/v1/ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">authorization.openshift.io/v1/ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">authorization.openshift.io/v1/Role</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">authorization.openshift.io/v1/RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">messageExpression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> object.apiVersion + &#39;/&#39; + object.kind + &#39; is deprecated.&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml" target="-blank">/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-empty-ingress-host</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow empty Ingress host</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> An ingress resource needs to define an actual host name </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> in order to be valid. This policy ensures that there is a </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> hostname for each rule defined.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-empty-ingress-host</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The Ingress host name must be defined, not empty.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.rules[].host || `[]` | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.rules[].http || `[]` | length(@) }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml" target="-blank">/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-empty-ingress-host</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow empty Ingress host in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> An ingress resource needs to define an actual host name </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> in order to be valid. This policy ensures that there is a </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> hostname for each rule defined.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-empty-ingress-host</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.?rules.orValue([]).all(rule, has(rule.host) &amp;&amp; has(rule.http))</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The Ingress host name must be defined, not empty.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/disallow-helm-tiller/disallow-helm-tiller/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/disallow-helm-tiller/disallow-helm-tiller/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml" target="-blank">/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-helm-tiller</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Helm Tiller</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> resource accessible to any authenticated user. Tiller can lead to privilege escalation as </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> restricted users can impact other users. It is recommended to use Helm v3+ which does not contain </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Tiller for these reasons. This policy validates that there is not an image </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> containing the name `tiller`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-helm-tiller</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Helm Tiller is not allowed&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!*tiller*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.initContainers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!*tiller*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.ephemeralContainers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!*tiller*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml" target="-blank">/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-helm-tiller</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Helm Tiller in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> resource accessible to any authenticated user. Tiller can lead to privilege escalation as </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> restricted users can impact other users. It is recommend to use Helm v3+ which does not contain </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> Tiller for these reasons. This policy validates that there is not an image </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> containing the name `tiller`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-helm-tiller</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers.all(container, !container.image.contains(&#39;tiller&#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Helm Tiller is not allowed&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml" target="-blank">/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Host Namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Host namespaces (Process ID namespace, Inter-Process Communication namespace, and </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> network namespace) allow access to shared information and can be used to elevate </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> privileges. Pods should not be allowed access to host namespaces. This policy ensures </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> fields which make use of these host namespaces are unset or set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">host-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> Sharing the host namespaces is disallowed. The fields spec.hostNetwork, </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> spec.hostIPC, and spec.hostPID must be unset or set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">=(hostPID)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">=(hostIPC)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">=(hostNetwork)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml" target="-blank">/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Host Namespaces in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Host namespaces (Process ID namespace, Inter-Process Communication namespace, and </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> network namespace) allow access to shared information and can be used to elevate </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> privileges. Pods should not be allowed access to host namespaces. This policy ensures </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> fields which make use of these host namespaces are unset or set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">host-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> ( object.spec.?hostNetwork.orValue(false) == false) &amp;&amp; </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> ( object.spec.?hostIPC.orValue(false) == false) &amp;&amp; </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> ( object.spec.?hostPID.orValue(false) == false)</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> Sharing the host namespaces is disallowed. The fields spec.hostNetwork, </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> spec.hostIPC, and spec.hostPID must be unset or set to `false`.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-host-namespaces/disallow-host-namespaces/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-host-namespaces/disallow-host-namespaces/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml" target="-blank">/pod-security-vpol/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Host Namespaces in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Host namespaces (Process ID namespace, Inter-Process Communication namespace, and </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> network namespace) allow access to shared information and can be used to elevate </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> privileges. Pods should not be allowed access to host namespaces. This policy ensures </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> fields which make use of these host namespaces are unset or set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hostNetwork</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?hostNetwork.orValue(false)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hostIPC</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?hostIPC.orValue(false)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hostPID</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?hostPID.orValue(false)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> !(variables.hostNetwork || variables.hostIPC || variables.hostPID)</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> Sharing the host namespaces is disallowed. The fields spec.hostNetwork, </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> spec.hostIPC, and spec.hostPID must be unset or set to `false`. </span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-host-path/disallow-host-path/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-host-path/disallow-host-path/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/baseline/disallow-host-path/disallow-host-path.yaml" target="-blank">/pod-security/baseline/disallow-host-path/disallow-host-path.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-path</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow hostPath</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,Volume</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> HostPath volumes let Pods use host directories and volumes in containers. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Using host resources can be used to access shared data or escalate privileges </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> and should not be allowed. This policy ensures no hostPath volumes are in use.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">host-path</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="sd"> HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">=(volumes)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">X(hostPath)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-host-path/disallow-host-path/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-host-path/disallow-host-path/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml" target="-blank">/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-path</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow hostPath in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,Volume</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> HostPath volumes let Pods use host directories and volumes in containers. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Using host resources can be used to access shared data or escalate privileges </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> and should not be allowed. This policy ensures no hostPath volumes are in use.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">host-path</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?volumes.orValue([]).all(volume, size(volume) == 0 || !has(volume.hostPath))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-host-path/disallow-host-path/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-host-path/disallow-host-path/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/baseline/disallow-host-path/disallow-host-path.yaml" target="-blank">/pod-security-vpol/baseline/disallow-host-path/disallow-host-path.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-path</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow hostPath in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,Volume</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> HostPath volumes let Pods use host directories and volumes in containers. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Using host resources can be used to access shared data or escalate privileges </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> and should not be allowed. This policy ensures no hostPath volumes are in use.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> object.spec.?volumes.orValue([]).all(volume, !has(volume.hostPath))</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-host-ports/disallow-host-ports/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-host-ports/disallow-host-ports/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml" target="-blank">/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-ports</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow hostPorts</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Access to host ports allows potential snooping of network traffic and should not be </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> field is unset or set to `0`. </span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">host-ports-none</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="sd"> Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> must either be unset or set to `0`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">=(ports)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">=(hostPort)</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">=(ports)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">=(hostPort)</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">=(ports)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">=(hostPort)</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml" target="-blank">/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-ports</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow hostPorts in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Access to host ports allows potential snooping of network traffic and should not be </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> field is unset or set to `0`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">host-ports-none</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> container.?ports.orValue([]).all(port, port.?hostPort.orValue(0) == 0))</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort, </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> must either be unset or set to `0`.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-host-ports/disallow-host-ports/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-host-ports/disallow-host-ports/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/baseline/disallow-host-ports/disallow-host-ports.yaml" target="-blank">/pod-security-vpol/baseline/disallow-host-ports/disallow-host-ports.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-ports</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow hostPorts in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Access to host ports allows potential snooping of network traffic and should not be </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> field is unset or set to `0`. </span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="l">variables.allContainers.all(container, </span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="l">container.?ports.orValue([]).all(port, port.?hostPort.orValue(0) == 0))</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> must either be unset or set to `0`.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml" target="-blank">/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-ports-range</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow hostPorts Range (Alternate)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Access to host ports allows potential snooping of network traffic and should not be </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> allowed by requiring host ports be undefined (recommended) or at minimum restricted to a known list. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy ensures the `hostPort` field, if defined, is set to either a port in the specified range </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> or to a value of zero. This policy is mutually exclusive of the disallow-host-ports policy. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> Note that Kubernetes Pod Security Admission does not support the host port range rule.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">host-port-range</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> The only permitted hostPorts are in the range 5000-6000 or 0.</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.[ephemeralContainers, initContainers, containers][].ports[].hostPort }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">5000-6000</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.[ephemeralContainers, initContainers, containers][].ports[].hostPort }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="m">0</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml" target="-blank">/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-ports-range</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow hostPorts Range (Alternate) in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Access to host ports allows potential snooping of network traffic and should not be </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> field is set to one in the designated list. Note that Kubernetes Pod Security Admission </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> does not support this rule.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">host-port-range</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="l">variables.allContainers.all(container, </span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="l">container.?ports.orValue([]).all(port,</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="l">size(port) == 0 ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>!<span class="l">has(port.hostPort) || (port.hostPort &gt;= 5000 &amp;&amp; port.hostPort &lt;= 6000) )) </span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> The only permitted hostPorts are in the range 5000-6000.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-host-process/disallow-host-process/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-host-process/disallow-host-process/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/baseline/disallow-host-process/disallow-host-process.yaml" target="-blank">/pod-security/baseline/disallow-host-process/disallow-host-process.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-process</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow hostProcess</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Windows pods offer the ability to run HostProcess containers which enables privileged </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> access to the Windows node. Privileged access to the host is disallowed in the baseline </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the `hostProcess` field, if present, is set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">host-process-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess, </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess, </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> and spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> or set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">=(windowsOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">=(hostProcess)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">=(windowsOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">=(hostProcess)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">=(windowsOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">=(hostProcess)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-host-process/disallow-host-process/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-host-process/disallow-host-process/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml" target="-blank">/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-process</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow hostProcess in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Windows pods offer the ability to run HostProcess containers which enables privileged </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> access to the Windows node. Privileged access to the host is disallowed in the baseline </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the `hostProcess` field, if present, is set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">host-process-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> container.?securityContext.?windowsOptions.?hostProcess.orValue(false) == false)</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> HostProcess containers are disallowed. The field spec.containers[*].securityContext.windowsOptions.hostProcess, </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.windowsOptions.hostProcess, and </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> must either be undefined or set to `false`. </span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-host-process/disallow-host-process/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-host-process/disallow-host-process/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/baseline/disallow-host-process/disallow-host-process.yaml" target="-blank">/pod-security-vpol/baseline/disallow-host-process/disallow-host-process.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-host-process</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow hostProcess in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Windows pods offer the ability to run HostProcess containers which enables privileged </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> access to the Windows node. Privileged access to the host is disallowed in the baseline </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the `hostProcess` field, if present, is set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> container.?securityContext.?windowsOptions.?hostProcess.orValue(false) == false)</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> HostProcess containers are disallowed. The field spec.containers[*].securityContext.windowsOptions.hostProcess, </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.windowsOptions.hostProcess, and </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> must either be undefined or set to `false`. </span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/disallow-latest-tag/disallow-latest-tag/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/disallow-latest-tag/disallow-latest-tag/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/disallow-latest-tag/disallow-latest-tag.yaml" target="-blank">/best-practices/disallow-latest-tag/disallow-latest-tag.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-latest-tag</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Latest Tag</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> The &#39;:latest&#39; tag is mutable and can lead to unexpected errors if the </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> image changes. A best practice is to use an immutable tag that maps to </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> a specific version of an application Pod. This policy validates that the image </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> specifies a tag and that it is not called `latest`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-image-tag</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;An image tag is required.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.initContainers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.ephemeralContainers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-image-tag</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Using a mutable image tag e.g. &#39;latest&#39; is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!*:latest&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.initContainers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!*:latest&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.ephemeralContainers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!*:latest&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/disallow-latest-tag/disallow-latest-tag/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/disallow-latest-tag/disallow-latest-tag/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml" target="-blank">/best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-latest-tag</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Latest Tag in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> The &#39;:latest&#39; tag is mutable and can lead to unexpected errors if the </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> image changes. A best practice is to use an immutable tag that maps to </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> a specific version of an application Pod. This policy validates that the image </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> specifies a tag and that it is not called `latest`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-and-validate-image-tag</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers.all(container, container.image.contains(&#39;:&#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;An image tag is required.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers.all(container, !container.image.endsWith(&#39;:latest&#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Using a mutable image tag e.g. &#39;latest&#39; is not allowed.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/disallow-localhost-services/disallow-localhost-services/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/disallow-localhost-services/disallow-localhost-services/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/disallow-localhost-services/disallow-localhost-services.yaml" target="-blank">/other/disallow-localhost-services/disallow-localhost-services.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span>-<span class="l">localhost-service</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Localhost ExternalName Services</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> A Service of type ExternalName which points back to localhost can potentially be used to exploit </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> if the externalName field refers to localhost.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span>-<span class="l">localhost-service</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Service of type ExternalName cannot point to localhost.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">(type)</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalName</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">externalName</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!localhost&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/disallow-localhost-services/disallow-localhost-services/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/disallow-localhost-services/disallow-localhost-services/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/disallow-localhost-services/disallow-localhost-services.yaml" target="-blank">/other-cel/disallow-localhost-services/disallow-localhost-services.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span>-<span class="l">localhost-service</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Localhost ExternalName Services in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> A Service of type ExternalName which points back to localhost can potentially be used to exploit </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> if the externalName field refers to localhost.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span>-<span class="l">localhost-service</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.type != &#39;ExternalName&#39; || object.spec.externalName != &#39;localhost&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Service of type ExternalName cannot point to localhost.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/restrict-node-port/restrict-node-port/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/restrict-node-port/restrict-node-port/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/restrict-node-port/restrict-node-port.yaml" target="-blank">/best-practices/restrict-node-port/restrict-node-port.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-nodeport</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow NodePort</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> A Kubernetes Service of type NodePort uses a host port to receive traffic from </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> any source. A NetworkPolicy cannot be used to control traffic to host ports. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Although NodePort Services can be useful, their use must be limited to Services </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> with additional upstream security checks. This policy validates that any new Services </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> do not use the `NodePort` type.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-nodeport</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Services of type NodePort are not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">=(type)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!NodePort&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/restrict-node-port/restrict-node-port/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/restrict-node-port/restrict-node-port/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/restrict-node-port/restrict-node-port.yaml" target="-blank">/best-practices-cel/restrict-node-port/restrict-node-port.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-nodeport</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow NodePort in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> A Kubernetes Service of type NodePort uses a host port to receive traffic from </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> any source. A NetworkPolicy cannot be used to control traffic to host ports. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Although NodePort Services can be useful, their use must be limited to Services </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> with additional upstream security checks. This policy validates that any new Services </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> do not use the `NodePort` type.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-nodeport</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has(object.spec.type) ? (object.spec.type != &#39;NodePort&#39;) : true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Services of type NodePort are not allowed.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml" target="-blank">/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-jenkins-pipeline-strategy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow OpenShift Jenkins Pipeline Build Strategy </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">OpenShift</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.20&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">BuildConfig</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-build-strategy</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">v1/BuildConfig</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">build.openshift.io/v1/BuildConfig</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="sd"> Jenkins Pipeline Build Strategy has been deprecated and is not allowed</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ keys(request.object.spec.strategy) | contains(@, &#39;jenkinsPipelineStrategy&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml" target="-blank">/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-jenkins-pipeline-strategy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow OpenShift Jenkins Pipeline Build Strategy in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">OpenShift in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">BuildConfig</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-build-strategy</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">v1/BuildConfig</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">build.openshift.io/v1/BuildConfig</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!has(object.spec.strategy.jenkinsPipelineStrategy)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> Jenkins Pipeline Build Strategy has been deprecated and is not allowed</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml" target="-blank">/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-privilege-escalation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Privilege Escalation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy ensures the `allowPrivilegeEscalation` field is set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">privilege-escalation</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="sd"> Privilege escalation is disallowed. The fields </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="sd"> spec.containers[*].securityContext.allowPrivilegeEscalation, </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.allowPrivilegeEscalation, </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> must be set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">allowPrivilegeEscalation</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">allowPrivilegeEscalation</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">allowPrivilegeEscalation</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml" target="-blank">/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-privilege-escalation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Privilege Escalation in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy ensures the `allowPrivilegeEscalation` field is set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">privilege-escalation</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="l">variables.allContainers.all(container, </span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="l">container.?securityContext.allowPrivilegeEscalation.orValue(true) == false)</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> Privilege escalation is disallowed. </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> All containers must set the securityContext.allowPrivilegeEscalation field to `false`.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/restricted/disallow-privilege-escalation/disallow-privilege-escalation/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/restricted/disallow-privilege-escalation/disallow-privilege-escalation/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml" target="-blank">/pod-security-vpol/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-privilege-escalation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Privilege Escalation in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy ensures the `allowPrivilegeEscalation` field is set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="l">variables.allContainers.all(container, </span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="l">container.?securityContext.allowPrivilegeEscalation.orValue(true) == false)</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> Privilege escalation is disallowed. </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> All containers must set the securityContext.allowPrivilegeEscalation field to `false`.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml" target="-blank">/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-privileged-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Privileged Containers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Privileged mode disables most security mechanisms and must not be allowed. This policy </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> ensures Pods do not call for privileged mode.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">privileged-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="sd"> Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged, </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.privileged, and spec.ephemeralContainers[*].securityContext.privileged must be unset or set to `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">=(privileged)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">=(privileged)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">=(privileged)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml" target="-blank">/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-privileged-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Privileged Containers in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Privileged mode disables most security mechanisms and must not be allowed. This policy </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> ensures Pods do not call for privileged mode.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">privileged-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.allContainers.all(container, container.?securityContext.?privileged.orValue(false) == false)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Privileged mode is disallowed. All containers must set the securityContext.privileged field to `false` or unset the field.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-privileged-containers/disallow-privileged-containers/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-privileged-containers/disallow-privileged-containers/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml" target="-blank">/pod-security-vpol/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-privileged-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Privileged Containers in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Privileged mode disables most security mechanisms and must not be allowed. This policy </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> ensures Pods do not call for privileged mode.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.allContainers.all(container, container.?securityContext.?privileged.orValue(false) == false)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Privileged mode is disallowed. All containers must set the securityContext.privileged field to `false` or unset the field.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-proc-mount/disallow-proc-mount/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-proc-mount/disallow-proc-mount/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml" target="-blank">/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-proc-mount</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow procMount</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> The default /proc masks are set up to reduce attack surface and should be required. This policy </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> ensures nothing but the default procMount can be specified. Note that in order for users </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to deviate from the `Default` procMount requires setting a feature gate at the API </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> server.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-proc-mount</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> Changing the proc mount from the default is not allowed. The fields </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount, </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> and spec.ephemeralContainers[*].securityContext.procMount must be unset or </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> set to `Default`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">=(procMount)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Default&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">=(procMount)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Default&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">=(procMount)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Default&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml" target="-blank">/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-proc-mount</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow procMount in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The default /proc masks are set up to reduce attack surface and should be required. This policy </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> ensures nothing but the default procMount can be specified. Note that in order for users </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> to deviate from the `Default` procMount requires setting a feature gate at the API </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> server.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-proc-mount</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.allContainers.all(container, container.?securityContext.?procMount.orValue(&#39;Default&#39;) == &#39;Default&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Changing the proc mount from the default is not allowed.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-proc-mount/disallow-proc-mount/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-proc-mount/disallow-proc-mount/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/baseline/disallow-proc-mount/disallow-proc-mount.yaml" target="-blank">/pod-security-vpol/baseline/disallow-proc-mount/disallow-proc-mount.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-proc-mount</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow procMount in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The default /proc masks are set up to reduce attack surface and should be required. This policy </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> ensures nothing but the default procMount can be specified. Note that in order for users </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> to deviate from the `Default` procMount requires setting a feature gate at the API </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> server.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.allContainers.all(container, container.?securityContext.?procMount.orValue(&#39;Default&#39;) == &#39;Default&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Changing the proc mount from the default is not allowed.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml" target="-blank">/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secrets-not-from-env-vars</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Secrets from Env Vars</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Secrets used as environment variables containing sensitive information may, if not carefully controlled, </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> be printed in log output which could be visible to unauthorized people and captured in forwarding </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> applications. This policy disallows using Secrets as environment variables.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secrets-not-from-env-vars</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Secrets must be mounted as volumes, not as environment variables.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">=(env)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">=(valueFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">X(secretKeyRef)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secrets-not-from-envfrom</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Secrets must not come from envFrom statements.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">=(envFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">X(secretRef)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml" target="-blank">/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secrets-not-from-env-vars</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Secrets from Env Vars in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Secrets used as environment variables containing sensitive information may, if not carefully controlled, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> be printed in log output which could be visible to unauthorized people and captured in forwarding </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> applications. This policy disallows using Secrets as environment variables.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secrets-not-from-env-vars</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers.all(container, container.?env.orValue([]).all(env, env.?valueFrom.?secretKeyRef.orValue(true)))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Secrets must be mounted as volumes, not as environment variables.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers.all(container, container.?envFrom.orValue([]).all(envFrom, !has(envFrom.secretRef)))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Secrets must not come from envFrom statements.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-selinux/disallow-selinux/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/disallow-selinux/disallow-selinux/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/baseline/disallow-selinux/disallow-selinux.yaml" target="-blank">/pod-security/baseline/disallow-selinux/disallow-selinux.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-selinux</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow SELinux</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> SELinux options can be used to escalate privileges and should not be allowed. This policy </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> ensures that the `seLinuxOptions` field is undefined.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">selinux-type</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="sd"> Setting the SELinux type is restricted. The fields </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="sd"> spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type, </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> , spec.initContainers[*].securityContext.seLinuxOptions, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.type </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">=(seLinuxOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">=(type)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;container_t | container_init_t | container_kvm_t&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">=(seLinuxOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">=(type)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;container_t | container_init_t | container_kvm_t&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">=(seLinuxOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">=(type)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;container_t | container_init_t | container_kvm_t&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">=(seLinuxOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">=(type)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;container_t | container_init_t | container_kvm_t&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">selinux-user-role</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="sd"> Setting the SELinux user or role is forbidden. The fields </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="sd"> spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role, </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="sd"> spec.containers[*].securityContext.seLinuxOptions.user, spec.containers[*].securityContext.seLinuxOptions.role, </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.seLinuxOptions.user, spec.initContainers[*].securityContext.seLinuxOptions.role, </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="sd"> spec.ephemeralContainers[*].securityContext.seLinuxOptions.user, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="sd"> must be unset.</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">=(seLinuxOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">X(user)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">X(role)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">=(seLinuxOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">X(user)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">X(role)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">=(seLinuxOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span><span class="nt">X(user)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span><span class="nt">X(role)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span><span class="nt">=(seLinuxOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span><span class="nt">X(user)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="w"> </span><span class="nt">X(role)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-selinux/disallow-selinux/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/disallow-selinux/disallow-selinux/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml" target="-blank">/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-selinux</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow SELinux in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> SELinux options can be used to escalate privileges and should not be allowed. This policy </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> ensures that the `seLinuxOptions` field is undefined.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">selinux-type</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainerTypes</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">seLinuxTypes</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;container_t&#39;, &#39;container_init_t&#39;, &#39;container_kvm_t&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> (!has(object.spec.securityContext) || </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> !has(object.spec.securityContext.seLinuxOptions) || </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> !has(object.spec.securityContext.seLinuxOptions.type) || </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> variables.seLinuxTypes.exists(type, type == object.spec.securityContext.seLinuxOptions.type)) &amp;&amp; </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> variables.allContainerTypes.all(container, </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> !has(container.securityContext) || </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> !has(container.securityContext.seLinuxOptions) || </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> !has(container.securityContext.seLinuxOptions.type) || </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> variables.seLinuxTypes.exists(type, type == container.securityContext.seLinuxOptions.type))</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> Setting the SELinux type is restricted. The field securityContext.seLinuxOptions.type must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">selinux-user-role</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainerTypes</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="sd"> (!has(object.spec.securityContext) || </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="sd"> !has(object.spec.securityContext.seLinuxOptions) || </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="sd"> (!has(object.spec.securityContext.seLinuxOptions.user) &amp;&amp; !has(object.spec.securityContext.seLinuxOptions.role))) &amp;&amp; </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="sd"> variables.allContainerTypes.all(container, </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="sd"> !has(container.securityContext) || </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="sd"> !has(container.securityContext.seLinuxOptions) || </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="sd"> (!has(container.securityContext.seLinuxOptions.user) &amp;&amp; !has(container.securityContext.seLinuxOptions.role)))</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="sd"> Setting the SELinux user or role is forbidden. The fields seLinuxOptions.user and seLinuxOptions.role must be unset.</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-selinux/disallow-selinux/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/disallow-selinux/disallow-selinux/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/baseline/disallow-selinux/disallow-selinux.yaml" target="-blank">/pod-security-vpol/baseline/disallow-selinux/disallow-selinux.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-selinux</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow SELinux in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> SELinux options can be used to escalate privileges and should not be allowed. This policy </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> ensures that the `seLinuxOptions` field is undefined.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainerTypes</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">seLinuxTypes</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;container_t&#39;, &#39;container_init_t&#39;, &#39;container_kvm_t&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hasValidSELinuxType</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> object.spec.?securityContext.?seLinuxOptions.?type.orValue(&#39;&#39;) == &#39;&#39; || </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> variables.seLinuxTypes.exists(type, type == object.spec.securityContext.seLinuxOptions.type)</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hasValidSELinuxUserRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> object.spec.?securityContext.?seLinuxOptions.?user.orValue(&#39;&#39;) == &#39;&#39; &amp;&amp; </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> object.spec.?securityContext.?seLinuxOptions.?role.orValue(&#39;&#39;) == &#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="sd"> variables.hasValidSELinuxType &amp;&amp; </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="sd"> variables.allContainerTypes.all(container, </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="sd"> container.?securityContext.?seLinuxOptions.?type.orValue(&#39;&#39;) == &#39;&#39; || </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="sd"> variables.seLinuxTypes.exists(type, type == container.securityContext.seLinuxOptions.type))</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="sd"> Setting the SELinux type is restricted. The field securityContext.seLinuxOptions.type </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="sd"> must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="sd"> variables.hasValidSELinuxUserRole &amp;&amp; </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="sd"> variables.allContainerTypes.all(container, </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="sd"> container.?securityContext.?seLinuxOptions.?user.orValue(&#39;&#39;) == &#39;&#39; &amp;&amp; </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="sd"> container.?securityContext.?seLinuxOptions.?role.orValue(&#39;&#39;) == &#39;&#39;)</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="sd"> Setting the SELinux user or role is forbidden. The fields seLinuxOptions.user and seLinuxOptions.role must be unset.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-loadbalancer/restrict-loadbalancer/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-loadbalancer/restrict-loadbalancer/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-loadbalancer/restrict-loadbalancer.yaml" target="-blank">/other/restrict-loadbalancer/restrict-loadbalancer.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span>-<span class="l">loadbalancer-service</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Service Type LoadBalancer</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Especially in cloud provider environments, a Service having type LoadBalancer will cause the </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> provider to respond by creating a load balancer somewhere in the customer account. This adds </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> cost and complexity to a deployment. Without restricting this ability, users may easily </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> overrun established budgets and security practices set by the organization. This policy restricts </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> use of the Service type LoadBalancer.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span>-<span class="l">LoadBalancer</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Service of type LoadBalancer is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!LoadBalancer&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-loadbalancer/restrict-loadbalancer/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-loadbalancer/restrict-loadbalancer/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-loadbalancer/restrict-loadbalancer.yaml" target="-blank">/other-cel/restrict-loadbalancer/restrict-loadbalancer.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span>-<span class="l">loadbalancer-service</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow Service Type LoadBalancer in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Especially in cloud provider environments, a Service having type LoadBalancer will cause the </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> provider to respond by creating a load balancer somewhere in the customer account. This adds </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> cost and complexity to a deployment. Without restricting this ability, users may easily </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> overrun established budgets and security practices set by the organization. This policy restricts </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> use of the Service type LoadBalancer.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span>-<span class="l">LoadBalancer</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.type != &#39;LoadBalancer&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Service of type LoadBalancer is not allowed.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml" target="-blank">/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-security-context-constraint-anyuid</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow use of the SecurityContextConstraint (SCC) anyuid</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.20&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Role,ClusterRole,RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-security-context-constraint</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="sd"> Use of the SecurityContextConstraint (SCC) anyuid is not allowed</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.rules[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">anyuid</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.resourceNames[]}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.verbs[] | contains(@, &#39;use&#39;) || contains(@, &#39;*&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-security-context-roleref</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="l">RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="sd"> Use of the SecurityContextConstraint (SCC) anyuid is not allowed</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">system:openshift:scc:anyuid</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.roleRef.name}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml" target="-blank">/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">disallow-security-context-constraint-anyuid</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Disallow use of the SecurityContextConstraint (SCC) anyuid in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Role,ClusterRole,RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-security-context-constraint</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!object.?rules.orValue([]).exists(rule, &#39;anyuid&#39; in rule.resourceNames &amp;&amp; (&#39;use&#39; in rule.verbs || &#39;*&#39; in rule.verbs))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> Use of the SecurityContextConstraint (SCC) anyuid is not allowed</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-security-context-roleref</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.roleRef.name != &#39;system:openshift:scc:anyuid&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="sd"> Use of the SecurityContextConstraint (SCC) anyuid is not allowed</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/docker-socket-requires-label/docker-socket-requires-label/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/docker-socket-requires-label/docker-socket-requires-label/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/docker-socket-requires-label/docker-socket-requires-label.yaml" target="-blank">/other/docker-socket-requires-label/docker-socket-requires-label.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">docker-socket-check</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Docker Socket Requires Label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Accessing a container engine&#39;s socket is for highly specialized use cases and should generally </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> be disabled. If access must be granted, it should be done on an explicit basis. This policy </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> to `true`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">conditional-anchor-dockersock</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">allow-docker</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">(spec)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">(volumes)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">(hostPath)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/var/run/docker.sock&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/docker-socket-requires-label/docker-socket-requires-label/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/docker-socket-requires-label/docker-socket-requires-label/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml" target="-blank">/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">docker-socket-check</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Docker Socket Requires Label in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Accessing a container engine&#39;s socket is for highly specialized use cases and should generally </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> be disabled. If access must be granted, it should be done on an explicit basis. This policy </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> to `true`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">docker-socket-check</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hasDockerSocket</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?volumes.orValue([]).exists(volume, volume.?hostPath.?path.orValue(&#39;&#39;) == &#39;/var/run/docker.sock&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">isAllowDockerLabelTrue</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.metadata.?labels[?&#39;allow-docker&#39;].orValue(&#39;false&#39;) == &#39;true&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!variables.hasDockerSocket || variables.isAllowDockerLabelTrue&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/require-drop-all/require-drop-all/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/require-drop-all/require-drop-all/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/require-drop-all/require-drop-all.yaml" target="-blank">/best-practices/require-drop-all/require-drop-all.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">drop-all-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Drop All Capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Capabilities permit privileged actions without giving full root access. All </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> capabilities should be dropped from a Pod, with only those required added back. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy ensures that all containers explicitly specify the `drop: [&#34;ALL&#34;]` </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> ability. Note that this policy also illustrates how to cover drop entries in any </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> case although this may not strictly conform to the Pod Security Standards.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-drop-all</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> Containers must drop `ALL` capabilities.</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.[ephemeralContainers, initContainers, containers][]</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">ALL</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/require-drop-all/require-drop-all/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/require-drop-all/require-drop-all/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/require-drop-all/require-drop-all.yaml" target="-blank">/best-practices-cel/require-drop-all/require-drop-all.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">drop-all-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Drop All Capabilities in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Capabilities permit privileged actions without giving full root access. All </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> capabilities should be dropped from a Pod, with only those required added back. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy ensures that all containers explicitly specify the `drop: [&#34;ALL&#34;]` </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> ability. Note that this policy also illustrates how to cover drop entries in any </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> case although this may not strictly conform to the Pod Security Standards.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-drop-all</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() == &#39;ALL&#39;))</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Containers must drop `ALL` capabilities.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml" target="-blank">/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">drop-cap-net-raw</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Drop CAP_NET_RAW</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Capabilities permit privileged actions without giving full root access. The </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> CAP_NET_RAW capability, enabled by default, allows processes in a container to </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> forge packets and bind to any interface potentially leading to MitM attacks. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy ensures that all containers explicitly drop the CAP_NET_RAW </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> ability. Note that this policy also illustrates how to cover drop entries in any </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> case although this may not strictly conform to the Pod Security Standards.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-drop-cap-net-raw</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> Containers must drop the `CAP_NET_RAW` capability.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.[ephemeralContainers, initContainers, containers][]</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">CAP_NET_RAW</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">NET_RAW</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml" target="-blank">/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">drop-cap-net-raw</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Drop CAP_NET_RAW in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Capabilities permit privileged actions without giving full root access. The </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> CAP_NET_RAW capability, enabled by default, allows processes in a container to </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> forge packets and bind to any interface potentially leading to MitM attacks. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy ensures that all containers explicitly drop the CAP_NET_RAW </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> ability. Note that this policy also illustrates how to cover drop entries in any </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> case although this may not strictly conform to the Pod Security Standards.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-drop-cap-net-raw</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mustDropCapabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;CAP_NET_RAW&#39;,&#39;NET_RAW&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() in variables.mustDropCapabilities))</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> Containers must drop the `CAP_NET_RAW` capability.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kubecost/enable-kubecost-continuous-rightsizing/enable-kubecost-continuous-rightsizing/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kubecost/enable-kubecost-continuous-rightsizing/enable-kubecost-continuous-rightsizing/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kubecost/enable-kubecost-continuous-rightsizing/enable-kubecost-continuous-rightsizing.yaml" target="-blank">/kubecost/enable-kubecost-continuous-rightsizing/enable-kubecost-continuous-rightsizing.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enable-kubecost-continuous-rightsizing</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enable Kubecost Continuous Rightsizing</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Kubecost</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.25&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Kubecost is able to modify container resource requests and limits dynamically </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> based upon observed utilization patterns and recommendations. This provides an </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> easy way to automatically improve allocation of cluster resources by increasing </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> efficiency. This policy will annotate all Deployments which have the label </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> `env=test` with `request.autoscaling.kubecost.com/enabled=&#34;true&#34;` if the annotation </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> is not already present. Other annotations may be added according to need and users </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> should see the documentation for a complete list.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enable-kubecost-autoscaling</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span><span class="l">test</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">+(request.autoscaling.kubecost.com/enabled)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml" target="-blank">/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">appproject-clusterresourceblacklist</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce AppProject with clusterResourceBlacklist</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Argo</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">AppProject</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> An AppProject may optionally specify clusterResourceBlacklist which is a blacklisted </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> group of cluster resources. This is often a good practice to ensure AppProjects do </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> not allow more access than needed. This policy is a combination of two rules which </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> enforce that all AppProjects specify clusterResourceBlacklist and that their group </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> and kind have wildcards as values.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">has-wildcard</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">AppProject</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Wildcards must be present in group and kind for clusterResourceBlacklist.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.clusterResourceBlacklist&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ contains(element.group, &#39;*&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ contains(element.kind, &#39;*&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-clusterresourceblacklist</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="l">AppProject</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;AppProject must specify clusterResourceBlacklist.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">clusterResourceBlacklist</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.keys(@) }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml" target="-blank">/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">appproject-clusterresourceblacklist</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce AppProject with clusterResourceBlacklist in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Argo in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">AppProject</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> An AppProject may optionally specify clusterResourceBlacklist which is a blacklisted </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> group of cluster resources. This is often a good practice to ensure AppProjects do </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> not allow more access than needed. This policy is a combination of two rules which </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> enforce that all AppProjects specify clusterResourceBlacklist and that their group </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> and kind have wildcards as values.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">has-wildcard-and-validate-clusterresourceblacklist</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">AppProject</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has(object.spec.clusterResourceBlacklist)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;AppProject must specify clusterResourceBlacklist.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.clusterResourceBlacklist.all(element, element.group.contains(&#39;*&#39;) &amp;&amp; element.kind.contains(&#39;*&#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Wildcards must be present in group and kind for clusterResourceBlacklist.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/consul/enforce-min-tls-version/enforce-min-tls-version/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/consul/enforce-min-tls-version/enforce-min-tls-version/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//consul/enforce-min-tls-version/enforce-min-tls-version.yaml" target="-blank">/consul/enforce-min-tls-version/enforce-min-tls-version.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-min-tls-version</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce Consul min TLS version </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Consul</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Mesh</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-for-tls-version</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Mesh</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The minimum version of TLS is TLS v1_2</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">tls</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">incoming</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">tlsMinVersion</span><span class="p">:</span><span class="w"> </span><span class="l">TLSv1_2</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/consul-cel/enforce-min-tls-version/enforce-min-tls-version/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/consul-cel/enforce-min-tls-version/enforce-min-tls-version/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//consul-cel/enforce-min-tls-version/enforce-min-tls-version.yaml" target="-blank">/consul-cel/enforce-min-tls-version/enforce-min-tls-version.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-min-tls-version</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce Consul min TLS version in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Consul in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Mesh</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-for-tls-version</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Mesh</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> object.?spec.?tls.?incoming.?tlsMinVersion.orValue(&#39;&#39;) == &#39;TLSv1_2&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The minimum version of TLS is TLS v1_2</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift/enforce-etcd-encryption/enforce-etcd-encryption/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift/enforce-etcd-encryption/enforce-etcd-encryption/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml" target="-blank">/openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-etcd-encryption</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce etcd encryption in OpenShift</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">OpenShift</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.20&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">APIServer</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-etcd-encryption</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">config.openshift.io/v1/APIServer</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="sd"> Encryption should be enabled for etcd</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ keys(request.object.spec) | contains(@, &#39;encryption&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml" target="-blank">/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-etcd-encryption</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce etcd encryption in OpenShift in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">OpenShift</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">APIServer</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-etcd-encryption</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">config.openshift.io/v1/APIServer</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has(object.spec.encryption)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> Encryption should be enabled for etcd</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kubevirt/enforce-instancetype/enforce-instancetype/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kubevirt/enforce-instancetype/enforce-instancetype/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kubevirt/enforce-instancetype/enforce-instancetype.yaml" target="-blank">/kubevirt/enforce-instancetype/enforce-instancetype.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k6t-enforce-instancetype</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce instanceTypes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">KubeVirt</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">VirtualMachine</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="sd"> Check VirtualMachines and validate that they are using an instance type and preference.</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.8.0-rc2&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24-1.25&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k6t-ensure-instance-type-and-preference</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="l">VirtualMachine</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;VirtualMachines must use instance types and preferences&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">instancetype</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="p">?</span>*<span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preference</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="p">?</span>*<span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml" target="-blank">/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-ambient-mode-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce Istio Ambient Mode</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In order for Istio to include namespaces in ambient mode, the label </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> set `istio.io/dataplane-mode` to `ambient`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-amblient-mode-enabled</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;All new Namespaces must have Istio ambient mode enabled.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">istio.io/dataplane-mode</span><span class="p">:</span><span class="w"> </span><span class="l">ambient</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml" target="-blank">/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-sidecar-injection-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce Istio Sidecar Injection</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In order for Istio to inject sidecars to workloads deployed into Namespaces, the label </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> set `istio-inject` to `enabled`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-istio-injection-enabled</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;All new Namespaces must have Istio sidecar injection enabled.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">istio-injection</span><span class="p">:</span><span class="w"> </span><span class="l">enabled</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml" target="-blank">/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-sidecar-injection-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce Istio Sidecar Injection in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In order for Istio to inject sidecars to workloads deployed into Namespaces, the label </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> set `istio-inject` to `enabled`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-istio-injection-enabled</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.metadata.?labels[?&#39;istio-injection&#39;].orValue(&#39;&#39;) == &#39;enabled&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;All new Namespaces must have Istio sidecar injection enabled.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio/enforce-strict-mtls/enforce-strict-mtls/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio/enforce-strict-mtls/enforce-strict-mtls/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio/enforce-strict-mtls/enforce-strict-mtls.yaml" target="-blank">/istio/enforce-strict-mtls/enforce-strict-mtls.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-strict-mtls</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce Istio Strict mTLS</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PeerAuthentication</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="l">Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="l">can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="l">the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="l">can reduce the security for traffic within that portion of the mesh and should be controlled.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="l">This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="l">the `mode` be set to either `UNSET` or `STRICT`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-mtls</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">PeerAuthentication</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;PeerAuthentication resources may only set UNSET or STRICT for the mode.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">=(spec)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">=(mtls)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">=(mode)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;UNSET | STRICT&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio-cel/enforce-strict-mtls/enforce-strict-mtls/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio-cel/enforce-strict-mtls/enforce-strict-mtls/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml" target="-blank">/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-strict-mtls</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce Istio Strict mTLS in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PeerAuthentication</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="l">Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="l">can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="l">the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="l">can reduce the security for traffic within that portion of the mesh and should be controlled.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="l">This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="l">the `mode` be set to either `UNSET` or `STRICT`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-mtls</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">PeerAuthentication</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> !has(object.spec) || !has(object.spec.mtls) || !has(object.spec.mtls.mode) || </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> object.spec.mtls.mode in [&#39;UNSET&#39;, &#39;STRICT&#39;]</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;PeerAuthentication resources may only set UNSET or STRICT for the mode.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml" target="-blank">/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-tls-hosts-host-subnets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce Istio TLS on Hosts and Host Subnets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">DestinationRule</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="l">Once a routing decision has been made, a DestinationRule can be used to define how traffic</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="l">should be sent to another service. The trafficPolicy object can control how TLS is handled</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="l">to the destination host. This policy enforces that the TLS mode cannot be set to a value</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="l">of `DISABLE`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">destrule</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">DestinationRule</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;TLS may not be disabled for the trafficPolicy in any host.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">=(spec)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">=(trafficPolicy)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">=(tls)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">=(mode)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!DISABLE&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/enforce-pod-duration/enforce-pod-duration/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/enforce-pod-duration/enforce-pod-duration/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/enforce-pod-duration/enforce-pod-duration.yaml" target="-blank">/other/enforce-pod-duration/enforce-pod-duration.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pod-lifetime</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce pod duration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> This validation is valuable when annotations are used to define durations, </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Pod lifetime annotation can be no greater than 8 hours.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pods-lifetime</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Pod lifetime exceeds limit of 8h&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.annotations.\&#34;pod.kubernetes.io/lifetime\&#34; || &#39;0s&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;8h&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/enforce-pod-duration/enforce-pod-duration/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/enforce-pod-duration/enforce-pod-duration/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/enforce-pod-duration/enforce-pod-duration.yaml" target="-blank">/other-cel/enforce-pod-duration/enforce-pod-duration.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pod-lifetime</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce pod duration in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> This validation is valuable when annotations are used to define durations, </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pod lifetime annotation can be no greater than 8 hours.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pods-lifetime</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hasLifetimeAnnotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.metadata.?annotations[?&#39;pod.kubernetes.io/lifetime&#39;].hasValue()&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">lifetimeAnnotationValue</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.hasLifetimeAnnotation ? object.metadata.annotations[&#39;pod.kubernetes.io/lifetime&#39;] : &#39;0s&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!(duration(variables.lifetimeAnnotationValue) &gt; duration(&#39;8h&#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Pod lifetime exceeds limit of 8h&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/enforce-readwriteonce-pod/enforce-readwriteonce-pod/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/enforce-readwriteonce-pod/enforce-readwriteonce-pod/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml" target="-blank">/other/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">readwriteonce-pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce ReadWriteOncePod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PersistentVolumeClaim</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="sd"> Some stateful workloads with multiple replicas only allow a single Pod to write </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> in 1.27, a new setting called ReadWriteOncePod, available </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> for CSI volumes only, allows volumes to be writable from only a single Pod. For more </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">readwrite-pvc-single-pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">PersistentVolumeClaim</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The accessMode must be set to ReadWriteOncePod.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">accessModes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">ReadWriteOncePod</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml" target="-blank">/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">readwriteonce-pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce ReadWriteOncePod in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PersistentVolumeClaim</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27-1.28&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Some stateful workloads with multiple replicas only allow a single Pod to write </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> in 1.27, a new setting called ReadWriteOncePod, available </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> for CSI volumes only, allows volumes to be writable from only a single Pod. For more </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">readwrite-pvc-single-pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">PersistentVolumeClaim</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#39;ReadWriteOncePod&#39; in object.spec.accessModes&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The accessMode must be set to ReadWriteOncePod.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/enforce-resources-as-ratio/enforce-resources-as-ratio/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/enforce-resources-as-ratio/enforce-resources-as-ratio/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml" target="-blank">/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion </span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-resources-as-ratio</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce Resources as Ratio</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Resource requests often need to be tailored to the type of workload in the container/Pod. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> With many different types of applications in a cluster, enforcing hard limits on requests </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> or limits may not work and a ratio may be better suited instead. This policy checks every </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> container in a Pod and ensures that memory limits are no more than 2.5x its requests.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-memory-requests-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Limits may not exceed 2.5x the requests.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="c"># Set resources.limits.memory equal to zero if not present and resources.requests.memory equal to 1m rather than zero</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="c"># to avoid undefined division error. No memory request in this case is basically the same as 1m. Kubernetes API server</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="c"># will automatically set requests=limits if only limits is defined.</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ divide(&#39;{{ element.resources.limits.memory || &#39;0&#39; }}&#39;, &#39;{{ element.resources.requests.memory || &#39;1m&#39; }}&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">2.5</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/argo/applicationset-name-matches-project/applicationset-name-matches-project/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/argo/applicationset-name-matches-project/applicationset-name-matches-project/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml" target="-blank">/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">applicationset-name-matches-project</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Ensure ApplicationSet Name Matches Project</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Argo</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ApplicationSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy ensures that the name of the ApplicationSet is the </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> same value provided in the project.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">match-name</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">ApplicationSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The name must match the project.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">project</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//argo-cel/applicationset-name-matches-project/applicationset-name-matches-project.yaml" target="-blank">/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">applicationset-name-matches-project</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Ensure ApplicationSet Name Matches Project in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Argo in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ApplicationSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy ensures that the name of the ApplicationSet is the </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> same value provided in the project.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">match-name</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">ApplicationSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.template.spec.project == object.metadata.name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The name must match the project.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/deployment-replicas-higher-than-pdb/deployment-replicas-higher-than-pdb/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/deployment-replicas-higher-than-pdb/deployment-replicas-higher-than-pdb/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/deployment-replicas-higher-than-pdb/deployment-replicas-higher-than-pdb.yaml" target="-blank">/other/deployment-replicas-higher-than-pdb/deployment-replicas-higher-than-pdb.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment-replicas-higher-than-pdb</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Ensure Deployment Replicas Higher Than PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PodDisruptionBudget, Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> PodDisruptionBudget resources are useful to ensuring minimum availability is maintained at all times. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Introducing a PDB where there are already matching Pod controllers may pose a problem if the author </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> is unaware of the existing replica count. This policy ensures that the minAvailable value is not </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> greater not equal to the replica count of any matching existing Deployment. If other Pod controllers </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> should also be included in this check, additional rules may be added to the policy which match those </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> controllers.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment-replicas-greater-minAvailable</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deploymentreplicas</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">items[?label_match(`{{ request.object.spec.selector.matchLabels }}`, spec.template.metadata.labels)] || `[]`</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="l">/apis/apps/v1/namespaces/{{request.namespace}}/deployments </span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ regex_match(&#39;&#39;^[0-9]+$&#39;&#39;, &#39;&#39;{{ request.object.spec.minAvailable || &#39;&#39;&#39;&#39;}}&#39;&#39;) }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ length(deploymentreplicas) }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> PodDisruption budget minAvailable ({{ request.object.spec.minAvailable }}) cannot be </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> greater than or equal to the replica count of any matching existing Deployment. </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> There are {{ length(deploymentreplicas) }} Deployments which match this labelSelector </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="sd"> having {{ deploymentreplicas[*].spec.replicas }} replicas.</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">deploymentreplicas</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.minAvailable }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.spec.replicas }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/check-hpa-exists/check-hpa-exists/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/check-hpa-exists/check-hpa-exists/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/check-hpa-exists/check-hpa-exists.yaml" target="-blank">/other/check-hpa-exists/check-hpa-exists.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-hpa-exists</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Ensure HPA for Deployments</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.28&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment,ReplicaSet,StatefulSet,DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy ensures that Deployments, ReplicaSets, StatefulSets, and DaemonSets are only allowed </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> The policy checks for the presence of an HPA that targets the resource and denies the creation or update </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> of the resource if no such HPA exists. This policy helps enforce scaling practices </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> and ensures that resources are managed efficiently.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-hpa</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ReplicaSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hpas</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/autoscaling/v1/namespaces/{{ request.namespace }}/horizontalpodautoscalers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[].spec.scaleTargetRef.name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Deployment is not allowed without a corresponding HPA.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ hpas }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/ensure-production-matches-staging/ensure-production-matches-staging/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/ensure-production-matches-staging/ensure-production-matches-staging/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/ensure-production-matches-staging/ensure-production-matches-staging.yaml" target="-blank">/other/ensure-production-matches-staging/ensure-production-matches-staging.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ensure-production-matches-staging</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Ensure Production Matches staging</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 13</span><span class="cl"><span class="sd"> It is common to have two separate Namespaces such as staging and production </span></span></span><span class="line"><span class="ln"> 14</span><span class="cl"><span class="sd"> in order to test and promote app deployments in a controlled manner. In order to ensure </span></span></span><span class="line"><span class="ln"> 15</span><span class="cl"><span class="sd"> that level of control, certain guardrails must be present so as to minimize regressions or </span></span></span><span class="line"><span class="ln"> 16</span><span class="cl"><span class="sd"> unintended behavior. This policy has a set of three rules to try and provide some sane defaults </span></span></span><span class="line"><span class="ln"> 17</span><span class="cl"><span class="sd"> for app promotion across these two environments (Namespaces) called staging and production. First, </span></span></span><span class="line"><span class="ln"> 18</span><span class="cl"><span class="sd"> it makes sure that every Deployment in production has a corresponding Deployment in staging. Second, </span></span></span><span class="line"><span class="ln"> 19</span><span class="cl"><span class="sd"> that a production Deployment uses same image name as its staging counterpart. Third, that </span></span></span><span class="line"><span class="ln"> 20</span><span class="cl"><span class="sd"> a production Deployment uses an older or equal image version as its staging counterpart.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 23</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 24</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 25</span><span class="cl"><span class="w"></span><span class="c">#######################</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 26</span><span class="cl"><span class="w"></span><span class="c"># Ensures that each Deployment being created in production</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 27</span><span class="cl"><span class="w"></span><span class="c"># has an existing Deployment already in staging of the same name.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 28</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-staging-deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 29</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 30</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 31</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 32</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 33</span><span class="cl"><span class="w"> </span>- <span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 34</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 35</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 36</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 37</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 41</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 42</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 43</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 44</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment_count</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 45</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 46</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/apps/v1/namespaces/staging/deployments&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 47</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?metadata.name==&#39;{{ request.object.metadata.name }}&#39;] || `[]` | length(@)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 48</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 49</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Every Deployment in production requires a corresponding Deployment in staging.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 50</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 51</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 52</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 53</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{deployment_count}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 54</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 55</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 56</span><span class="cl"><span class="w"></span><span class="c">#######################</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 57</span><span class="cl"><span class="w"></span><span class="c"># Ensures that each corresponding Deployment in staging and production</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 58</span><span class="cl"><span class="w"></span><span class="c"># Namespaces uses the same image name (not tag).</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 59</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-same-image</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 60</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 61</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 62</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 63</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 64</span><span class="cl"><span class="w"> </span>- <span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 65</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 66</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 67</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 68</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 69</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 70</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 71</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 72</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 73</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 74</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ deployment_count }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 75</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 76</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 77</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 78</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment_count</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 79</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 80</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/apps/v1/namespaces/staging/deployments&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 81</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?metadata.name==&#39;{{ request.object.metadata.name}}&#39;] || `[]` | length(@)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 82</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment_images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 83</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 84</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/apps/v1/namespaces/staging/deployments/{{ request.object.metadata.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 85</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;spec.template.spec.containers[].image.split(@, &#39;:&#39;)[0]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 86</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 87</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Every Deployment in production is required to use the same image(s) as in staging.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 88</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 89</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 90</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 91</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.template.spec.containers[].image.split(@, &#39;:&#39;)[0] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 92</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 93</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ deployment_images }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 94</span><span class="cl"><span class="w"></span><span class="c">#######################</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 95</span><span class="cl"><span class="w"></span><span class="c"># Ensures that each image version in production is less than or</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 96</span><span class="cl"><span class="w"></span><span class="c"># equal to its corresponding image version in staging. Uses the container</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 97</span><span class="cl"><span class="w"></span><span class="c"># name as the basis for comparison. Recommended to pair this policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 98</span><span class="cl"><span class="w"></span><span class="c"># with another policy or rule which enforces only semver image tags, or otherwise extend this rule</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 99</span><span class="cl"><span class="w"></span><span class="c"># with a precondition which filters out everything else.</span><span class="w"> </span></span></span><span class="line"><span class="ln">100</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-same-or-older-imageversion</span><span class="w"> </span></span></span><span class="line"><span class="ln">101</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">102</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">103</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">104</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">105</span><span class="cl"><span class="w"> </span>- <span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="ln">106</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">107</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">108</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">109</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">110</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">111</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">112</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">113</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE </span><span class="w"> </span></span></span><span class="line"><span class="ln">114</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">115</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ deployment_count }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">116</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">117</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">118</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">119</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment_count</span><span class="w"> </span></span></span><span class="line"><span class="ln">120</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">121</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/apps/v1/namespaces/staging/deployments&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">122</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[? metadata.name == &#39;{{ request.object.metadata.name }}&#39; ] | length(@)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">123</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment_containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">124</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">125</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/apps/v1/namespaces/staging/deployments/{{ request.object.metadata.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">126</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;spec.template.spec.containers[]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">127</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">128</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Every Deployment in production is required to use an image version less than or equal to the one in staging.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">129</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">130</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.template.spec.containers[]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">131</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">132</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">133</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">134</span><span class="cl"><span class="w"> </span><span class="c"># Uses the container name as the basis for comparing the image tag. Only semver has been tested.</span><span class="w"> </span></span></span><span class="line"><span class="ln">135</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image.split(@,&#39;:&#39;)[1] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">136</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">137</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ deployment_containers[?name == &#39;{{element.name}}&#39;].image.split(@,&#39;:&#39;)[1] | [0] }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/ensure-readonly-hostpath/ensure-readonly-hostpath/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/ensure-readonly-hostpath/ensure-readonly-hostpath/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml" target="-blank">/other/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ensure-readonly-hostpath</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Ensure Read Only hostPath</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> even if confined to a &#34;safe&#34; file system on the host and may escape those confines (see </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> mode. This policy checks all containers for any hostPath volumes and ensures they are </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> explicitly mounted in readOnly mode.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ensure-hostpaths-readonly</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">All hostPath volumes must be mounted as readOnly.</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="c"># Fetch all volumes in the Pod which are a hostPath. Store the names in an array. There could be multiple in a Pod so can&#39;t assume just one.</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.volumes[?hostPath][]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="c"># For every name found for a hostPath volume (stored as `{{element}}`), check all containers, initContainers, and ephemeralContainers which mount this volume and</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="c"># total up the number of them. Compare that to the ones with that same name which explicitly specify that `readOnly: true`. If these two</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="c"># counts aren&#39;t equal, deny the Pod because at least one is attempting to mount that hostPath in read/write mode. Note that the absence of</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="c"># the `readOnly: true` field implies read/write access. Therefore, every hostPath volume must explicitly specify that it should be mounted</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="c"># in readOnly mode, regardless of where that occurs in a Pod.</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.[containers, initContainers, ephemeralContainers][].volumeMounts[?name == &#39;{{element.name}}&#39;][] | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.[containers, initContainers, ephemeralContainers][].volumeMounts[?name == &#39;{{element.name}}&#39; &amp;&amp; readOnly] [] | length(@) }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml" target="-blank">/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ensure-readonly-hostpath</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Ensure Read Only hostPath in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> even if confined to a &#34;safe&#34; file system on the host and may escape those confines (see </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> mode. This policy checks all containers for any hostPath volumes and ensures they are </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> explicitly mounted in readOnly mode.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ensure-hostpaths-readonly</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hostPathVolumes</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?volumes.orValue([]).filter(volume, has(volume.hostPath))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> variables.hostPathVolumes.all(hostPath, variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> container.volumeMounts.orValue([]).all(volume, (hostPath.name != volume.name) || volume.?readOnly.orValue(false) == true)))</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">All hostPath volumes must be mounted as readOnly.</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/check-ingress-nginx-controller-version-and-annotation-policy/check-ingress-nginx-controller-version-and-annotation-policy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/check-ingress-nginx-controller-version-and-annotation-policy/check-ingress-nginx-controller-version-and-annotation-policy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/check-ingress-nginx-controller-version-and-annotation-policy/check-ingress-nginx-controller-version-and-annotation-policy.yaml" target="-blank">/other/check-ingress-nginx-controller-version-and-annotation-policy/check-ingress-nginx-controller-version-and-annotation-policy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-ingress-nginx-controller-version-and-annotation-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Ensure Valid Ingress NGINX Controller and Annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress, Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.28&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress, Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy ensures that Ingress resources do not have certain disallowed annotations and that the ingress-nginx </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> controller Pod is running an appropriate version of the image. It checks for the presence of the </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> `nginx.ingress.kubernetes.io/server-snippet` annotation and disallows its usage, enforces specific values </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> for `auth-tls-verify-client`, and ensures that the ingress-nginx controller image is of the required version.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-ingress-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The annotation nginx.ingress.kubernetes.io/server-snippet is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">X(nginx.ingress.kubernetes.io/server-snippet)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-auth-tls-verify-client</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;auth-tls-verify-client annotation must be &#39;on&#39;, &#39;off&#39;, &#39;optional&#39;, or &#39;optional_no_ca&#39;.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.annotations.\&#34;nginx.ingress.kubernetes.io/auth-tls-verify-client\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;on&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;off&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;optional&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;optional_no_ca&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ensure-ingress-nginx-controller-version-pattern</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The ingress-nginx controller image version must start with v1.11.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">controller</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.11.*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-lower-ingress-nginx-controller-versions</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The ingress-nginx controller image version must be v1.11.2 or greater.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.containers[?(@.name==&#39;controller&#39;)].image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.11.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.11.1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.10.*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.9.*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.8.*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.7.*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.6.*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.5.*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">83</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.4.*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">84</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.3.*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">85</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.2.*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">86</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.1.*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">87</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.k8s.io/ingress-nginx/controller:v1.0.*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/exclude-namespaces-dynamically/exclude-namespaces-dynamically/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/exclude-namespaces-dynamically/exclude-namespaces-dynamically/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml" target="-blank">/other/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">exclude-namespaces-example</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Exclude Namespaces Dynamically</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace, Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 11</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 13</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 14</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 15</span><span class="cl"><span class="sd"> It&#39;s common where policy lookups need to consider a mapping to many possible values rather than a </span></span></span><span class="line"><span class="ln"> 16</span><span class="cl"><span class="sd"> static mapping. This is a sample which demonstrates how to dynamically look up an allow list of Namespaces from a ConfigMap </span></span></span><span class="line"><span class="ln"> 17</span><span class="cl"><span class="sd"> where the ConfigMap stores an array of strings. This policy validates that any Pods created </span></span></span><span class="line"><span class="ln"> 18</span><span class="cl"><span class="sd"> outside of the list of Namespaces have the label `foo` applied.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">exclude-namespaces-dynamically</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 24</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespacefilters</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 26</span><span class="cl"><span class="w"> </span><span class="nt">configMap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 27</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespace-filters</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 28</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 29</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 30</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 31</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 32</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 33</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 34</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 35</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 36</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 37</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 38</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 39</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 40</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 41</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{namespacefilters.data.exclude}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 42</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 43</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 44</span><span class="cl"><span class="sd"> Creating Pods in the {{request.namespace}} namespace, </span></span></span><span class="line"><span class="ln"> 45</span><span class="cl"><span class="sd"> which is not in the excluded list of namespaces {{ namespacefilters.data.exclude }}, </span></span></span><span class="line"><span class="ln"> 46</span><span class="cl"><span class="sd"> is forbidden unless it carries the label `foo`.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 47</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 48</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 49</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 50</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 51</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 52</span><span class="cl"><span class="w"> </span><span class="nt">foo</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 53</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">exclude-namespaces-dynamically-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 54</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 55</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespacefilters</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 56</span><span class="cl"><span class="w"> </span><span class="nt">configMap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 57</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespace-filters</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 58</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 59</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 60</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 61</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 62</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 63</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 64</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 65</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 66</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 67</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 68</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{namespacefilters.data.exclude}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 69</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 70</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 71</span><span class="cl"><span class="sd"> Creating Pods in the {{request.namespace}} namespace, </span></span></span><span class="line"><span class="ln"> 72</span><span class="cl"><span class="sd"> which is not in the excluded list of namespaces {{ namespacefilters.data.exclude }}, </span></span></span><span class="line"><span class="ln"> 73</span><span class="cl"><span class="sd"> is forbidden unless it carries the label `foo`.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 74</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 75</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 76</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 77</span><span class="cl"><span class="w"> </span><span class="nt">foo</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 78</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">exclude-namespaces-dynamically-cronjobs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 79</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 80</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespacefilters</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 81</span><span class="cl"><span class="w"> </span><span class="nt">configMap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 82</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespace-filters</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 83</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 84</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 85</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 86</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 87</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 88</span><span class="cl"><span class="w"> </span>- <span class="l">CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 89</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 90</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 91</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 92</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 93</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{namespacefilters.data.exclude}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 94</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 95</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 96</span><span class="cl"><span class="sd"> Creating Pods in the {{request.namespace}} namespace, </span></span></span><span class="line"><span class="ln"> 97</span><span class="cl"><span class="sd"> which is not in the excluded list of namespaces {{ namespacefilters.data.exclude }}, </span></span></span><span class="line"><span class="ln"> 98</span><span class="cl"><span class="sd"> is forbidden unless it carries the label `foo`.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 99</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">100</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">101</span><span class="cl"><span class="w"> </span><span class="nt">jobTemplate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">102</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">103</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">104</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">105</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">106</span><span class="cl"><span class="w"> </span><span class="nt">foo</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/exclude-namespaces-dynamically/exclude-namespaces-dynamically/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/exclude-namespaces-dynamically/exclude-namespaces-dynamically/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml" target="-blank">/other-cel/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">exclude-namespaces-example</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Exclude Namespaces Dynamically in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace, Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 11</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 13</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 14</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 15</span><span class="cl"><span class="sd"> It&#39;s common where policy lookups need to consider a mapping to many possible values rather than a </span></span></span><span class="line"><span class="ln"> 16</span><span class="cl"><span class="sd"> static mapping. This is a sample which demonstrates how to dynamically look up an allow list of Namespaces from a ConfigMap </span></span></span><span class="line"><span class="ln"> 17</span><span class="cl"><span class="sd"> where the ConfigMap stores an array of strings. This policy validates that any Pods created </span></span></span><span class="line"><span class="ln"> 18</span><span class="cl"><span class="sd"> outside of the list of Namespaces have the label `foo` applied.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">exclude-namespaces-dynamically</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 28</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 29</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 30</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 31</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 32</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 33</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 34</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 35</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;filter-namespaces&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 37</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!(request.namespace in params.data[&#39;exclude&#39;].split(&#39;, &#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 38</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 39</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 40</span><span class="cl"><span class="w"> </span><span class="nt">paramKind</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 41</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 42</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 43</span><span class="cl"><span class="w"> </span><span class="nt">paramRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 44</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespace-filters</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 45</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 46</span><span class="cl"><span class="w"> </span><span class="nt">parameterNotFoundAction</span><span class="p">:</span><span class="w"> </span><span class="l">Deny</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 47</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 48</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has(object.spec.template.metadata) &amp;&amp; has(object.spec.template.metadata.labels) &amp;&amp; &#39;foo&#39; in object.spec.template.metadata.labels&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 49</span><span class="cl"><span class="w"> </span><span class="nt">messageExpression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 50</span><span class="cl"><span class="sd"> &#39;Creating Pods in the &#39; + request.namespace + &#39; namespace,&#39; + </span></span></span><span class="line"><span class="ln"> 51</span><span class="cl"><span class="sd"> &#39; which is not in the excluded list of namespaces&#39; + params.data.exclude + &#39;,&#39; + </span></span></span><span class="line"><span class="ln"> 52</span><span class="cl"><span class="sd"> &#39; is forbidden unless it carries the label `foo`.&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 53</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">exclude-namespaces-dynamically-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 54</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 55</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 56</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 57</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 58</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 59</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 60</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 61</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 62</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 63</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;filter-namespaces&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 64</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!(request.namespace in params.data[&#39;exclude&#39;].split(&#39;, &#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 65</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 66</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 67</span><span class="cl"><span class="w"> </span><span class="nt">paramKind</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 68</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 69</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 70</span><span class="cl"><span class="w"> </span><span class="nt">paramRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 71</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespace-filters</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 72</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 73</span><span class="cl"><span class="w"> </span><span class="nt">parameterNotFoundAction</span><span class="p">:</span><span class="w"> </span><span class="l">Deny</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 74</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 75</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has(object.metadata.labels) &amp;&amp; &#39;foo&#39; in object.metadata.labels&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 76</span><span class="cl"><span class="w"> </span><span class="nt">messageExpression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 77</span><span class="cl"><span class="sd"> &#39;Creating Pods in the &#39; + request.namespace + &#39; namespace,&#39; + </span></span></span><span class="line"><span class="ln"> 78</span><span class="cl"><span class="sd"> &#39; which is not in the excluded list of namespaces &#39; + params.data.exclude + &#39;,&#39; + </span></span></span><span class="line"><span class="ln"> 79</span><span class="cl"><span class="sd"> &#39; is forbidden unless it carries the label `foo`.&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 80</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">exclude-namespaces-dynamically-cronjobs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 81</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 82</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 83</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 84</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 85</span><span class="cl"><span class="w"> </span>- <span class="l">CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 86</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 87</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 88</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 89</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 90</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;filter-namespaces&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 91</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!(request.namespace in params.data[&#39;exclude&#39;].split(&#39;, &#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 92</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 93</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 94</span><span class="cl"><span class="w"> </span><span class="nt">paramKind</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 95</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 96</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 97</span><span class="cl"><span class="w"> </span><span class="nt">paramRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 98</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespace-filters</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 99</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln">100</span><span class="cl"><span class="w"> </span><span class="nt">parameterNotFoundAction</span><span class="p">:</span><span class="w"> </span><span class="l">Deny</span><span class="w"> </span></span></span><span class="line"><span class="ln">101</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">102</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">103</span><span class="cl"><span class="sd"> has(object.spec.jobTemplate.spec.template.metadata) &amp;&amp; </span></span></span><span class="line"><span class="ln">104</span><span class="cl"><span class="sd"> has(object.spec.jobTemplate.spec.template.metadata.labels) &amp;&amp; &#39;foo&#39; in object.spec.jobTemplate.spec.template.metadata.labels</span><span class="w"> </span></span></span><span class="line"><span class="ln">105</span><span class="cl"><span class="w"> </span><span class="nt">messageExpression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="ln">106</span><span class="cl"><span class="sd"> &#39;Creating Pods in the &#39; + request.namespace + &#39; namespace,&#39; + </span></span></span><span class="line"><span class="ln">107</span><span class="cl"><span class="sd"> &#39; which is not in the excluded list of namespaces &#39; + params.data.exclude + &#39;,&#39; + </span></span></span><span class="line"><span class="ln">108</span><span class="cl"><span class="sd"> &#39; is forbidden unless it carries the label `foo`.&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/expiration-for-policyexceptions/expiration-for-policyexceptions/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/expiration-for-policyexceptions/expiration-for-policyexceptions/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/expiration-for-policyexceptions/expiration-for-policyexceptions.yaml" target="-blank">/other/expiration-for-policyexceptions/expiration-for-policyexceptions.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">expiration-for-policyexceptions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Expiration for PolicyExceptions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PolicyException</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In situations where Ops/Platform teams want to allow exceptions on a </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> temporary basis, there must be a way to remove the PolicyException once the </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> expiration time has been reached. After the exception is removed, the rule(s) </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> for which the exception is granted go back into full effect. This policy generates </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> a ClusterCleanupPolicy with a four hour expiration time after which the PolicyException </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> is deleted. It may be necessary to grant both the Kyverno as well as cleanup controller </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> ServiceAccounts additional permissions to operate this policy.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">expire-four-hours</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">PolicyException</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterCleanupPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">polex-{{ request.namespace }}-{{ request.object.metadata.name }}-{{ random(&#39;[0-9a-z]{8}&#39;) }}</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/automated</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ time_add(&#39;{{ time_now_utc() }}&#39;,&#39;4h&#39;) | time_to_cron(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">PolicyException</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{ request.namespace }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{ request.object.metadata.name }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/forbid-cpu-limits/forbid-cpu-limits/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/forbid-cpu-limits/forbid-cpu-limits/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/forbid-cpu-limits/forbid-cpu-limits.yaml" target="-blank">/other/forbid-cpu-limits/forbid-cpu-limits.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">forbid-cpu-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Forbid CPU Limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-cpu-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Containers may not define CPU limits.</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">=(resources)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">=(limits)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">X(cpu)</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/forbid-cpu-limits/forbid-cpu-limits/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/forbid-cpu-limits/forbid-cpu-limits/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml" target="-blank">/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">forbid-cpu-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Forbid CPU Limits in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-cpu-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> !object.spec.containers.exists(container, </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> container.?resources.?limits.?cpu.hasValue())</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Containers may not define CPU limits.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/flux/generate-flux-multi-tenant-resources/generate-flux-multi-tenant-resources/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/flux/generate-flux-multi-tenant-resources/generate-flux-multi-tenant-resources/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//flux/generate-flux-multi-tenant-resources/generate-flux-multi-tenant-resources.yaml" target="-blank">/flux/generate-flux-multi-tenant-resources/generate-flux-multi-tenant-resources.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">generate-flux-multi-tenant-resources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Generate Flux Multi-Tenant Resources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Flux</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ServiceAccount, RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> As part of the tenant provisioning process, Flux needs to generate RBAC resources. This policy </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> will create a ServiceAccount and RoleBinding when a new or existing Namespace is labeled </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> with `toolkit.fluxcd.io/tenant`. Use of this rule may require an additional binding for the </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> Kyverno ServiceAccount so it has permissions to properly create the RoleBinding.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">generate-flux-sa</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">toolkit.fluxcd.io/tenant</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.labels.\&#34;toolkit.fluxcd.io/tenant\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">toolkit.fluxcd.io/tenant</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.labels.\&#34;toolkit.fluxcd.io/tenant\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.labels.\&#34;toolkit.fluxcd.io/tenant\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">generate-flux-rolebinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">toolkit.fluxcd.io/tenant</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.labels.\&#34;toolkit.fluxcd.io/tenant\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">toolkit.fluxcd.io/tenant</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.labels.\&#34;toolkit.fluxcd.io/tenant\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;flux-{{request.object.metadata.labels.\&#34;toolkit.fluxcd.io/tenant\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">roleRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">apiGroup</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cluster-admin</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">User</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;flux:{{request.object.metadata.name}}:{{request.object.metadata.labels.\&#34;toolkit.fluxcd.io/tenant\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.labels.\&#34;toolkit.fluxcd.io/tenant\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml" target="-blank">/kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="c"># This is an example rule intended to be cloned &amp; modified to meet organizational requirements.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="c"># The `dataprotetion` label value can be changed to correspond with specific policy templates.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="c"># </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"></span><span class="c"># NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"></span><span class="c">#</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"></span><span class="c"># apiVersion: rbac.authorization.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"></span><span class="c"># kind: ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"></span><span class="c"># metadata:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"></span><span class="c"># labels:</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"></span><span class="c"># app.kubernetes.io/component: background-controller</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"></span><span class="c"># app.kubernetes.io/instance: kyverno</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"></span><span class="c"># app.kubernetes.io/part-of: kyverno</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"></span><span class="c"># name: kyverno:create-kasten-policies</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="c"># rules:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="c"># - apiGroups:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="c"># - config.kio.kasten.io</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="c"># resources:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="c"># - policies</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="c"># verbs:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="c"># - create</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="c"># - update</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"></span><span class="c"># - delete</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"></span><span class="c">#</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-generate-example-backup-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Generate Kasten Backup Policy Based on Resource Label</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Veeam Kasten</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24-1.30&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> Generates a Kasten policy for a namespace that includes any Deployment or StatefulSet with a &#34;dataprotection=kasten-example&#34; label, if the policy does not already exist. This Kyverno policy can be used in combination with the &#34;kasten-data-protection-by-label&#34; policy to require &#34;dataprotection&#34; labeling on workloads.</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-generate-example-backup-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">dataprotection</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-example</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">dataprotectionLabelValue</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;kasten-example&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kyvernoPolicyName</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;kasten-generate-example-backup-policy&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">existingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/config.kio.kasten.io/v1alpha1/namespaces/kasten-io/policies&#34;</span><span class="w"> </span><span class="c"># returns list of Kasten policies from kasten-io namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[][[@.metadata.labels.\&#34;generate.kyverno.io/policy-name\&#34;==&#39;{{ kyvernoPolicyName }}&#39;] &amp;&amp; [@.spec.selector.matchExpressions[].values[?@==&#39;{{ request.namespace }}&#39;]]][][][][] | length(@)&#34;</span><span class="w"> </span><span class="c"># queries if a Kasten policy protecting the namespace generated by this Kyverno policy already exists </span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ existingPolicy }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="c"># Only generate the policy if it does not already exist</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">config.kio.kasten.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.namespace }}-{{ dataprotectionLabelValue }}-policy&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-io</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.namespace }}-{{ dataprotectionLabelValue }}-policy&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-io</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">comment</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Auto-generated by Kyverno&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span><span class="nt">frequency</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;@daily&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span><span class="nt">retention</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">daily</span><span class="p">:</span><span class="w"> </span><span class="m">7</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span><span class="nt">weekly</span><span class="p">:</span><span class="w"> </span><span class="m">4</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span><span class="nt">monthly</span><span class="p">:</span><span class="w"> </span><span class="m">12</span><span class="w"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span><span class="nt">yearly</span><span class="p">:</span><span class="w"> </span><span class="m">7</span><span class="w"> </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="w"> </span><span class="nt">actions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">83</span><span class="cl"><span class="w"> </span>- <span class="nt">action</span><span class="p">:</span><span class="w"> </span><span class="l">backup</span><span class="w"> </span></span></span><span class="line"><span class="ln">84</span><span class="cl"><span class="w"> </span>- <span class="nt">action</span><span class="p">:</span><span class="w"> </span><span class="l">export</span><span class="w"> </span></span></span><span class="line"><span class="ln">85</span><span class="cl"><span class="w"> </span><span class="nt">exportParameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">86</span><span class="cl"><span class="w"> </span><span class="nt">frequency</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;@daily&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">87</span><span class="cl"><span class="w"> </span><span class="nt">profile</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">88</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">test</span><span class="w"> </span></span></span><span class="line"><span class="ln">89</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-io</span><span class="w"> </span></span></span><span class="line"><span class="ln">90</span><span class="cl"><span class="w"> </span><span class="nt">exportData</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">91</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">92</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">93</span><span class="cl"><span class="w"> </span><span class="nt">matchExpressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">94</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">k10.kasten.io/appNamespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">95</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">In</span><span class="w"> </span></span></span><span class="line"><span class="ln">96</span><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">97</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{ request.namespace }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml" target="-blank">/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="c"># This example assumes that Kasten policy presets named &#34;gold&#34;, &#34;silver&#34;, and &#34;bronze&#34; have been pre-created and Kasten was deployed into the `kasten-io` namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="c">#</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="c"># NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"></span><span class="c">#</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"></span><span class="c"># apiVersion: rbac.authorization.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"></span><span class="c"># kind: ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"></span><span class="c"># metadata:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"></span><span class="c"># labels:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"></span><span class="c"># app.kubernetes.io/component: background-controller</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"></span><span class="c"># app.kubernetes.io/instance: kyverno</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"></span><span class="c"># app.kubernetes.io/part-of: kyverno</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"></span><span class="c"># name: kyverno:create-kasten-policies</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"></span><span class="c"># rules:</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="c"># - apiGroups:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="c"># - config.kio.kasten.io</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="c"># resources:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="c"># - policies</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="c"># verbs:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="c"># - create</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="c"># - update</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="c"># - delete</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"></span><span class="c">#</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-generate-policy-by-preset-label</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Generate Kasten Policy from Preset</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Veeam Kasten</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24-1.30&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> Generates a Kasten policy for a new namespace that includes a valid &#34;dataprotection&#34; label, if the policy does not already exist. </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> Use with &#34;kasten-validate-ns-by-preset-label&#34; policy to require &#34;dataprotection&#34; labeling on new namespaces.</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-generate-policy-by-preset-label</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">matchExpressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">dataprotection </span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">In</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="l">gold</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="l">silver</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="l">bronze</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">existingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/config.kio.kasten.io/v1alpha1/namespaces/kasten-io/policies&#34;</span><span class="w"> </span><span class="c"># returns list of Kasten policies from kasten-io namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[][[@.spec.presetRef][?name==&#39;{{ request.object.metadata.labels.dataprotection }}&#39;] &amp;&amp; [@.spec.selector.matchExpressions[].values[?@==&#39;{{ request.namespace }}&#39;]]][][][][] | length(@)&#34;</span><span class="w"> </span><span class="c"># queries if a policy based on the dataprotection label value, covering that app namespace already exists </span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ existingPolicy }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="c"># Only generate the policy if it does not already exist</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">config.kio.kasten.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.namespace }}-{{ request.object.metadata.labels.dataprotection }}-backup&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-io</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">comment</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Auto-generated by Kyverno&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">paused</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">actions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span>- <span class="nt">action</span><span class="p">:</span><span class="w"> </span><span class="l">backup</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">presetRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.labels.dataprotection }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-io</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">matchExpressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">k10.kasten.io/appNamespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">In</span><span class="w"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{ request.namespace }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/generate-networkpolicy-existing/generate-networkpolicy-existing/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/generate-networkpolicy-existing/generate-networkpolicy-existing/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml" target="-blank">/other/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">generate-networkpolicy-existing</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Generate NetworkPolicy to Existing Namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace, NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> A NetworkPolicy is often a critical piece when provisioning new Namespaces, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> but there may be existing Namespaces which also need the same resource. Creating </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> each one individually or manipulating each Namespace in order to trigger creation </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> is additional overhead. This policy creates a new NetworkPolicy for existing </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> Namespaces which results in a default deny behavior and labels it with created-by=kyverno.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">generateExisting</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">generate-existing-networkpolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-deny</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">created-by</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">Egress</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/ingress-host-match-tls/ingress-host-match-tls/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/ingress-host-match-tls/ingress-host-match-tls/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/ingress-host-match-tls/ingress-host-match-tls.yaml" target="-blank">/other/ingress-host-match-tls/ingress-host-match-tls.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ingress-host-match-tls</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress Host Match TLS</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.20, 1.21&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Ingress resources which name a host name that is not present </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> in the TLS section can produce ingress routing failures as a TLS </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> certificate may not correspond to the destination host. This policy </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> ensures that the host name in an Ingress rule is also found </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> in the list of TLS hosts.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">host-match-tls</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The host(s) in spec.rules[].host must match those in spec.tls[].hosts[].&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ (request.object.spec.rules[].host || `[]`) | sort(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ (request.object.spec.tls[].hosts[] || `[]`) | sort(@) }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/ingress-host-match-tls/ingress-host-match-tls/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/ingress-host-match-tls/ingress-host-match-tls/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml" target="-blank">/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ingress-host-match-tls</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress Host Match TLS in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Ingress resources which name a host name that is not present </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> in the TLS section can produce ingress routing failures as a TLS </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> certificate may not correspond to the destination host. This policy </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> ensures that the host name in an Ingress rule is also found </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> in the list of TLS hosts.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">host-match-tls</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">tls</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?tls.orValue([])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> object.spec.rules.all(rule, </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> !has(rule.host) || </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> variables.tls.exists(tls, tls.?hosts.orValue([]).exists(tlsHost, tlsHost == rule.host)))</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The host(s) in spec.rules[].host must match those in spec.tls[].hosts[].&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/inject-env-var-from-image-label/inject-env-var-from-image-label/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/inject-env-var-from-image-label/inject-env-var-from-image-label/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/inject-env-var-from-image-label/inject-env-var-from-image-label.yaml" target="-blank">/other/inject-env-var-from-image-label/inject-env-var-from-image-label.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">inject-env-var-from-image-label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Inject Env Var from Image Label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Container images which use metadata such as the LABEL directive in a Dockerfile </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> do not surface this information to apps running within. In some cases, running the image </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> as a container may need access to this information. This policy injects the value of a label </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> set in a Dockerfile named `maintainer` as an environment variable to the corresponding container </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> in the Pod.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-env-maintainer</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">maintainer</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;configData.config.Labels.maintainer || &#39;&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{maintainer}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> - op: add </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> path: &#34;/spec/containers/{{elementIndex}}/env/-&#34; </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="sd"> value: </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="sd"> name: MAINTAINER </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="sd"> value: &#34;{{maintainer}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift/inject-infrastructurename/inject-infrastructurename/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift/inject-infrastructurename/inject-infrastructurename/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift/inject-infrastructurename/inject-infrastructurename.yaml" target="-blank">/openshift/inject-infrastructurename/inject-infrastructurename.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">inject-infrastructurename</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Inject Infrastructure Name</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">OpenShift</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">MachineSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> A required component of a MachineSet is the infrastructure name which is a random string </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> created in a separate resource. It can be tedious or impossible to know this for each </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> MachineSet created. This policy fetches the value of the infrastructure name from the </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> Cluster resource and replaces all instances of TEMPLATE in a MachineSet with that name.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">replace-template</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">machine.openshift.io/v1beta1/MachineSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cluster</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="l">/apis/config.openshift.io/v1/infrastructures/cluster</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">infraid</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">cluster.status.infrastructureName</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> - op: replace </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> path: /metadata </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> value: {{ replace_all(to_string(request.object.metadata),&#39;TEMPLATE&#39;, infraid) }} </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> - op: replace </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> path: /spec </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> value: {{ replace_all(to_string(request.object.spec),&#39;TEMPLATE&#39;, infraid) }}</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/inject-sidecar-deployment/inject-sidecar-deployment/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/inject-sidecar-deployment/inject-sidecar-deployment/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/inject-sidecar-deployment/inject-sidecar-deployment.yaml" target="-blank">/other/inject-sidecar-deployment/inject-sidecar-deployment.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">inject-sidecar</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Inject Sidecar Container</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment,Volume</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> The sidecar pattern is very common in Kubernetes whereby other applications can </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> insert components via tacit modification of a submitted resource. This is, for example, </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> often how service meshes and secrets applications are able to function transparently. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy injects a sidecar container, initContainer, and volume into Pods that match </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> an annotation called `vault.hashicorp.com/agent-inject: true`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">inject-sidecar</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">(vault.hashicorp.com/agent-inject)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">vault-agent</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">vault:1.5.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">imagePullPolicy</span><span class="p">:</span><span class="w"> </span><span class="l">IfNotPresent</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">volumeMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l">/vault/secrets</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">vault-secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">initContainers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">vault-agent-init</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">vault:1.5.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">imagePullPolicy</span><span class="p">:</span><span class="w"> </span><span class="l">IfNotPresent</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">volumeMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l">/vault/secrets</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">vault-secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">vault-secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">emptyDir</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">medium</span><span class="p">:</span><span class="w"> </span><span class="l">Memory</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/inspect-csr/inspect-csr/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/inspect-csr/inspect-csr/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/inspect-csr/inspect-csr.yaml" target="-blank">/other/inspect-csr/inspect-csr.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">inspect-csr</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Inspect CertificateSigningRequest</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">CertificateSigningRequest</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> The Kubernetes API includes a CertificateSigningRequest resource which can be used to </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> generate a certificate for an entity. Because this API can be abused to create a long-lived </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> credential, it is important to be able to audit this API to understand who/what is creating </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> these CSRs and for what actors they are being created. This policy, intended to always be run </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> in Audit mode and produce failure results in a Policy Report, inspects all incoming CertificateSigningRequests </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> and writes out into the Policy Report information on who/what requested it and parsing the CSR </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> to show the Subject information of that CSR resource.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">csr</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CertificateSigningRequest</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> A CSR was created by {{ request.userInfo.{groups: groups, username: username} | to_string(@) }} </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> holding ClusterRoles {{ request.clusterRoles | to_string(@) }} </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> and Roles {{ request.roles | to_string(@) }}. </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> The subjects and groups requested in the CSR were &#34;{{ x509_decode(base64_decode(&#39;{{ request.object.spec.request }}&#39;)).Subject | to_string(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kubecost/kubecost-proactive-cost-control/kubecost-proactive-cost-control/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kubecost/kubecost-proactive-cost-control/kubecost-proactive-cost-control/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kubecost/kubecost-proactive-cost-control/kubecost-proactive-cost-control.yaml" target="-blank">/kubecost/kubecost-proactive-cost-control/kubecost-proactive-cost-control.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kubecost-proactive-cost-control</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Kubecost Proactive Cost Control</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Kubecost</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Kubecost Enterprise allows users to define budgets for Namespaces and clusters </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> as well as predict the cost of new Deployments based on historical cost data. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> By combining these abilities, users can achieve proactive cost controls for </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> clusters with Kubecost installed by denying Deployments which would exceed the </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> remaining configured monthly budget, if applicable. This policy checks for the creation of </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> Deployments and compares the predicted cost of the Deployment to the remaining amount </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> in the monthly budget, if one is found. If the predicted cost is greater than the remaining </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> budget, the Deployment is denied. This policy requires Kubecost Enterprise </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> at a version of 1.108 or greater.</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-monthly-namespace-budget</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="c"># First, check if this Namespace is subject to a budget.</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="c"># If it is not, always allow the Deployment.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ budget }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">nobudget</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="c"># Get the budget of the destination Namespace. Select the first budget returned which matches the Namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="c"># If no budget is found, set budget to &#34;nobudget&#34;.</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">budget</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l">GET</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l">http://kubecost-cost-analyzer.kubecost:9090/model/budgets</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;data[?values.namespace[?contains(@,&#39;{{ request.namespace }}&#39;)]] | [0] || &#39;nobudget&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="c"># Call the prediction API and pass it the Deployment from the admission request. Extract the totalMonthlyRate.</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">predictedMonthlyCost</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l">POST</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">apiVersion</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.apiVersion }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">kind</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.kind }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">spec</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l">http://kubecost-cost-analyzer.kubecost:9090/model/prediction/speccost?clusterID=cluster-one&amp;defaultNamespace=default</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[0].costChange.totalMonthlyRate&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="c"># Calculate the budget that remains from the window by subtracting the currentSpend from the spendLimit.</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">remainingBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">subtract(budget.spendLimit,budget.currentSpend)</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="sd"> This Deployment, which costs ${{ round(predictedMonthlyCost, `2`) }} to run for a month, </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="sd"> will overrun the remaining budget of ${{ round(remainingBudget,`2`) }}. Please seek approval or request </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="sd"> a Policy Exception.</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="c"># Deny the request if the predictedMonthlyCost is greater than the remainingBudget.</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ predictedMonthlyCost }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ remainingBudget }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.yaml" target="-blank">/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">config-syncer-secret-generation-from-rancher-capi</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Kubeops Config Syncer Secret Generation From Rancher CAPI Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Kubeops</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy generates and synchronizes a Kubeops Config Syncer merged kubeconfig </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Secret from Rancher managed cluster CAPI secrets. This kubeconfig Secret is </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> required by the Kubeops Config Syncer for it to sync ConfigMaps/Secrets from </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> the Rancher management cluster to downstream clusters.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">generateExisting</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">source-rancher-non-local-cluster-and-capi-secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">provisioning.cattle.io/v1/Cluster</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">fleet-local</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">currentKubeconfigData</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/kubed/secrets&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?metadata.name == &#39;kubed&#39;] | [0].data.kubeconfig || &#39;&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secretList</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{request.object.metadata.namespace}}/secrets&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?metadata.name.contains(@, &#39;-kubeconfig&#39;)]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kubeconfigClustersData</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> {{ secretList | [].{ </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> &#34;name&#34;: replace_all(metadata.name, &#39;-kubeconfig&#39;, &#39;&#39;), </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> &#34;cluster&#34;: data.value | base64_decode(@) | parse_yaml(@).clusters[].cluster[] | [0] } || &#39;\[\]&#39; </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> }}</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;to_string(@)&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kubeconfigUsersData</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="sd"> {{ secretList | [].{ </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="sd"> &#34;name&#34;: replace_all(metadata.name, &#39;-kubeconfig&#39;, &#39;&#39;), </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="sd"> &#34;user&#34;: data.value | base64_decode(@) | parse_yaml(@).users[].user[] | [0] } || &#39;\[\]&#39; </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="sd"> }}</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;to_string(@)&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"></span><span class="c"># - name: kubeconfigContextsData # Enable when Kyverno variable substitution bug is resolved</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"></span><span class="c"># variable:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"></span><span class="c"># value: |</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"></span><span class="c"># {{ secretList | [].{</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"></span><span class="c"># &#34;name&#34;: replace_all(metadata.name, &#39;-kubeconfig&#39;, &#39;&#39;),</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"></span><span class="c"># &#34;context&#34;: { &#34;cluster&#34;: metadata.name, &#34;user&#34;: metadata.name } }</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"></span><span class="c"># }}</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"></span><span class="c"># jmesPath: &#39;to_string(@)&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kubeconfigContextsData</span><span class="w"> </span><span class="c"># Use until Kyverno variable substitition bug is resolved</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="sd"> {{ secretList | [].{ </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="sd"> &#34;name&#34;: replace_all(metadata.name, &#39;-kubeconfig&#39;, &#39;&#39;), </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="sd"> &#34;context&#34;: [&#39;CLUSTER_BEGIN&#39;, replace_all(metadata.name, &#39;-kubeconfig&#39;, &#39;&#39;), &#39;CLUSTER_END&#39;, &#39;USER_BEGIN&#39;, replace_all(metadata.name, &#39;-kubeconfig&#39;, &#39;&#39;), &#39;USER_END&#39;] } || &#39;\[\]&#39; </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="sd"> }}</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;to_string(@) | replace_all(@, &#39;[\&#34;CLUSTER_BEGIN\&#34;,&#39;, &#39;{\&#34;cluster\&#34;:&#39;) | replace_all(@, &#39;\&#34;CLUSTER_END\&#34;,\&#34;USER_BEGIN\&#34;,&#39;, &#39;\&#34;user\&#34;:&#39;) | replace_all(@, &#39;,\&#34;USER_END\&#34;]&#39;, &#39;}&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kubeconfigData</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="sd"> { </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="sd"> &#34;apiVersion&#34;: &#34;v1&#34;, </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="sd"> &#34;kind&#34;: &#34;Config&#34;, </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="sd"> &#34;clusters&#34;: {{ kubeconfigClustersData }}, </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="sd"> &#34;contexts&#34;: {{ kubeconfigContextsData }}, </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="sd"> &#34;users&#34;: {{ kubeconfigUsersData }} </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="sd"> }</span><span class="w"> </span></span></span><span class="line"><span class="ln">83</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;to_string(@)&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">84</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">85</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">86</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ kubeconfigData || &#39;&#39;&#39;&#39; | base64_encode(@) }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">87</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">88</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ currentKubeconfigData }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">89</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">90</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">91</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">92</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">93</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kubed</span><span class="w"> </span></span></span><span class="line"><span class="ln">94</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">kubed</span><span class="w"> </span></span></span><span class="line"><span class="ln">95</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">96</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Opaque</span><span class="w"> </span></span></span><span class="line"><span class="ln">97</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">98</span><span class="cl"><span class="w"> </span><span class="nt">kubeconfig</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ kubeconfigData || &#39;&#39;&#39;&#39; | base64_encode(@) }}&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/kubernetes-version-check/kubernetes-version-check/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/kubernetes-version-check/kubernetes-version-check/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/kubernetes-version-check/kubernetes-version-check.yaml" target="-blank">/other/kubernetes-version-check/kubernetes-version-check.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kubernetes-version-check</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Kubernetes Version Check</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span>-<span class="l">rc2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> It is often needed to make decisions for resources based upon the version </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> of the Kubernetes API server in the cluster. This policy serves as an example </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> for how to retrieve the minor version of the Kubernetes API server and subsequently </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> use in a policy behavior. It will mutate a Secret upon its creation with a label </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> called `apiminorversion` the value of which is the minor version of the API server.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">test-ver-ver</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">minorversion</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="l">/version</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">minor</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">apiminorversion</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{minorversion}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/label-existing-namespaces/label-existing-namespaces/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/label-existing-namespaces/label-existing-namespaces/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/label-existing-namespaces/label-existing-namespaces.yaml" target="-blank">/other/label-existing-namespaces/label-existing-namespaces.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">label-existing-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Label Existing Namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Namespaces which preexist may need to be labeled after the fact and it is </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> time consuming to identify which ones should be labeled and either doing so manually </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> or with a scripted approach. This policy, which triggers on any AdmissionReview request </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> to any Namespace, will result in applying the label `mykey=myvalue` to all existing </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> Namespaces. If this policy is updated to change the desired label key or value, it will </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> cause another mutation which updates all Namespaces.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">mutateExistingOnPolicyUpdate</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">label-existing-namespaces</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">mykey</span><span class="p">:</span><span class="w"> </span><span class="l">myvalue</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/label-nodes-cri/label-nodes-cri/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/label-nodes-cri/label-nodes-cri/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/label-nodes-cri/label-nodes-cri.yaml" target="-blank">/other/label-nodes-cri/label-nodes-cri.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">label-nodes-cri</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Label Nodes with CRI Runtime</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Node, Label</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> CRI engines log in different formats. Loggers deployed as DaemonSets don&#39;t know </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> which format to apply because they can&#39;t see this information. By Kyverno writing a label </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> to each node with its runtime, loggers can use node label selectors to know which parsing logic to use. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy detects the CRI engine in use and writes a label to the Node called `runtime` with it. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> The Node resource filter should be removed and users may need to grant the Kyverno ServiceAccount permission </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> to update Nodes.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">mutateExistingOnPolicyUpdate</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">label-node-containerd</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">runtime</span><span class="p">:</span><span class="w"> </span><span class="l">containerd</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">status</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">nodeInfo</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">&lt;(containerRuntimeVersion)</span><span class="p">:</span><span class="w"> </span><span class="l">containerd*</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">label-node-docker</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">runtime</span><span class="p">:</span><span class="w"> </span><span class="l">docker</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">status</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">nodeInfo</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">&lt;(containerRuntimeVersion)</span><span class="p">:</span><span class="w"> </span><span class="l">docker*</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/limit-configmap-for-sa/limit-configmap-for-sa/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/limit-configmap-for-sa/limit-configmap-for-sa/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/limit-configmap-for-sa/limit-configmap-for-sa.yaml" target="-blank">/other/limit-configmap-for-sa/limit-configmap-for-sa.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-configmap-for-sa</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Limit ConfigMap to ServiceAccounts for a User</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.20-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap, ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">This policy shows how to restrict certain operations on specific ConfigMaps by ServiceAccounts.</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-configmap-for-sa-developer</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="c"># subjects:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="c"># - kind: ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="c"># name: developer</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="c"># namespace: kube-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">another-developer</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">another-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;any-namespace&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;another-namespace&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;any-configmap-name-good&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;another-configmap-name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} resource is protected. Admin or allowed users can change the resource&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/limit-containers-per-pod/limit-containers-per-pod/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/limit-containers-per-pod/limit-containers-per-pod/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/limit-containers-per-pod/limit-containers-per-pod.yaml" target="-blank">/other/limit-containers-per-pod/limit-containers-per-pod.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-containers-per-pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Limit Containers per Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Pods can have many different containers which </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> are tightly coupled. It may be desirable to limit the amount of containers that </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> can be in a single Pod to control best practice application or so policy can </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> be applied consistently. This policy checks all Pods to ensure they have </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> no more than four containers.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-containers-per-pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Pods can only have a maximum of 4 containers.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.containers[] | length(@)}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;4&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/limit-containers-per-pod/limit-containers-per-pod/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/limit-containers-per-pod/limit-containers-per-pod/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml" target="-blank">/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-containers-per-pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Limit Containers per Pod in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Pods can have many different containers which </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> are tightly coupled. It may be desirable to limit the amount of containers that </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> can be in a single Pod to control best practice application or so policy can </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> be applied consistently. This policy checks all Pods to ensure they have </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> no more than four containers.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-containers-per-pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;size(object.spec.containers) &lt;= 4&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Pods can only have a maximum of 4 containers.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/cert-manager/limit-dnsnames/limit-dnsnames/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/cert-manager/limit-dnsnames/limit-dnsnames/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//cert-manager/limit-dnsnames/limit-dnsnames.yaml" target="-blank">/cert-manager/limit-dnsnames/limit-dnsnames.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cert-manager-limit-dnsnames</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Limit dnsNames</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Cert-Manager</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Certificate</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Some applications will not accept certificates containing more than a single name. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy ensures that each certificate request contains </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> only one DNS name entry.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-dnsnames</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Certificate</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Only one dnsNames entry allowed per certificate request.</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.dnsNames || `[]` | length(@)}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/limit-hostpath-type-pv/limit-hostpath-type-pv/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/limit-hostpath-type-pv/limit-hostpath-type-pv/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml" target="-blank">/other/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-hostpath-type-pv</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Limit hostPath PersistentVolumes to Specific Directories</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PersistentVolume</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> hostPath persistentvolumes consume the underlying node&#39;s file system. If hostPath volumes </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> are not to be universally disabled, they should be restricted to only certain </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> host paths so as not to allow access to sensitive information. This policy ensures </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the only directory that can be mounted as a hostPath volume is /data.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-hostpath-type-pv-to-slash-data</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">PersistentVolume</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">hostPath type persistent volumes are confined to /data.</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">=(hostPath)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/data*</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml" target="-blank">/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-hostpath-type-pv</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Limit hostPath PersistentVolumes to Specific Directories in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PersistentVolume</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> hostPath persistentvolumes consume the underlying node&#39;s file system. If hostPath volumes </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> are not to be universally disabled, they should be restricted to only certain </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> host paths so as not to allow access to sensitive information. This policy ensures </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the only directory that can be mounted as a hostPath volume is /data.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-hostpath-type-pv-to-slash-data</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">PersistentVolume</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!has(object.spec.hostPath) || object.spec.hostPath.path.startsWith(&#39;/data&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">hostPath type persistent volumes are confined to /data.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/limit-hostpath-vols/limit-hostpath-vols/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/limit-hostpath-vols/limit-hostpath-vols/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/limit-hostpath-vols/limit-hostpath-vols.yaml" target="-blank">/other/limit-hostpath-vols/limit-hostpath-vols.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-hostpath-vols</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Limit hostPath Volumes to Specific Directories</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> hostPath volumes consume the underlying node&#39;s file system. If hostPath volumes </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> are not to be universally disabled, they should be restricted to only certain </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> host paths so as not to allow access to sensitive information. This policy ensures </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> the only directory that can be mounted as a hostPath volume is /data. It is strongly </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> recommended to pair this policy with a second to ensure readOnly </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> access is enforced preventing directory escape.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-hostpath-to-slash-data</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.volumes[?hostPath] | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">hostPath volumes are confined to /data.</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.volumes[?hostPath].hostPath&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.path | to_string(@) | split(@, &#39;/&#39;) | [1] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">data</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/limit-hostpath-vols/limit-hostpath-vols/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/limit-hostpath-vols/limit-hostpath-vols/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/limit-hostpath-vols/limit-hostpath-vols.yaml" target="-blank">/other-cel/limit-hostpath-vols/limit-hostpath-vols.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-hostpath-vols</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Limit hostPath Volumes to Specific Directories in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> hostPath volumes consume the underlying node&#39;s file system. If hostPath volumes </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> are not to be universally disabled, they should be restricted to only certain </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> host paths so as not to allow access to sensitive information. This policy ensures </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> the only directory that can be mounted as a hostPath volume is /data. It is strongly </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> recommended to pair this policy with a second to ensure readOnly </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> access is enforced preventing directory escape.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">limit-hostpath-to-slash-data</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has-host-path-volume&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?volumes.orValue([]).exists(volume, has(volume.hostPath))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.volumes.all(volume, !has(volume.hostPath) || volume.hostPath.path.split(&#39;/&#39;)[1] == &#39;data&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">hostPath volumes are confined to /data.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/mitigate-log4shell/mitigate-log4shell/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/mitigate-log4shell/mitigate-log4shell/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/mitigate-log4shell/mitigate-log4shell.yaml" target="-blank">/other/mitigate-log4shell/mitigate-log4shell.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">log4shell-mitigation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Log4Shell Mitigation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> In response to CVE-2021-44228 referred to as Log4Shell, a RCE vulnerability in the Log4j library, a </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> partial yet incomplete workaround for versions 2.10 to 2.14.1 of the library is to set the environment </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> variable LOG4J_FORMAT_MSG_NO_LOOKUPS to &#34;true&#34;. While this does provide some </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> benefit by limiting exposure, there are still code paths which can exploit </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> this vulnerability. It is highly recommended to upgrade log4j as soon as possible. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> See https://logging.apache.org/log4j/2.x/security.html for more details. </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> This policy will mutate all initContainers and containers in an </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> incoming Pod to add this environment variable automatically.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-log4shell-mitigation-initcontainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">initContainers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">LOG4J_FORMAT_MSG_NO_LOOKUPS</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-log4shell-mitigation-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">LOG4J_FORMAT_MSG_NO_LOOKUPS</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/memory-requests-equal-limits/memory-requests-equal-limits/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/memory-requests-equal-limits/memory-requests-equal-limits/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/memory-requests-equal-limits/memory-requests-equal-limits.yaml" target="-blank">/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">memory-requests-equal-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Memory Requests Equal Limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Pods which have memory limits equal to requests could be given a QoS class of Guaranteed if </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> they also set CPU limits equal to requests. Guaranteed is the highest schedulable class. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy checks that all containers in a given Pod have memory requests equal to limits.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">memory-requests-equal-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;resources.requests.memory must be equal to resources.limits.memory&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.containers[?resources.requests.memory!=resources.limits.memory] | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/memory-requests-equal-limits/memory-requests-equal-limits/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/memory-requests-equal-limits/memory-requests-equal-limits/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml" target="-blank">/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">memory-requests-equal-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Memory Requests Equal Limits in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Pods which have memory limits equal to requests could be given a QoS class of Guaranteed if </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> they also set CPU limits equal to requests. Guaranteed is the highest schedulable class. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy checks that all containers in a given Pod have memory requests equal to limits.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">memory-requests-equal-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.containers.all(container, </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> !container.?resources.?requests.?memory.hasValue() || </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> container.resources.requests.memory == container.resources.?limits.?memory.orValue(&#39;-1&#39;))</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;resources.requests.memory must be equal to resources.limits.memory&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/metadata-match-regex/metadata-match-regex/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/metadata-match-regex/metadata-match-regex/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/metadata-match-regex/metadata-match-regex.yaml" target="-blank">/other/metadata-match-regex/metadata-match-regex.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">metadata-match-regex</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Metadata Matches Regex</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Label</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Rather than a simple check to see if given metadata such as labels and annotations are present, </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> in some cases they need to be present and the values match a specified regular expression. This </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> policy illustrates how to ensure a label with key `corp.org/version` is both present and matches </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> a given regex, in this case ensuring semver is met.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-for-regex</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="sd"> The label `corp.org/version` is required and must match the specified regex: ^v[0-9].[0-9].[0-9]$</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ regex_match(&#39;^v[0-9].[0-9].[0-9]$&#39;,&#39;{{request.object.metadata.labels.\&#34;corp.org/version\&#34; || &#39;empty&#39;}}&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/metadata-match-regex/metadata-match-regex/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/metadata-match-regex/metadata-match-regex/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/metadata-match-regex/metadata-match-regex.yaml" target="-blank">/other-cel/metadata-match-regex/metadata-match-regex.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">metadata-match-regex</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Metadata Matches Regex in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Label</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Rather than a simple check to see if given metadata such as labels and annotations are present, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> in some cases they need to be present and the values match a specified regular expression. This </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> policy illustrates how to ensure a label with key `corp.org/version` is both present and matches </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> a given regex, in this case ensuring semver is met.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-for-regex</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> object.metadata.?labels[?&#39;corp.org/version&#39;].orValue(&#39;default&#39;).matches(&#39;^v[0-9].[0-9].[0-9]$&#39;)</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> The label `corp.org/version` is required and must match the specified regex: ^v[0-9].[0-9].[0-9]$</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/mutate-pod-binding/mutate-pod-binding/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/mutate-pod-binding/mutate-pod-binding/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/mutate-pod-binding/mutate-pod-binding.yaml" target="-blank">/other/mutate-pod-binding/mutate-pod-binding.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mutate-pod-binding</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Mutate Pod Binding</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Containers running in Pods may sometimes need access to node-specific information </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> on which the Pod has been scheduled. Scheduling decisions are made by kube-scheduler after </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the Pod has been persisted and so only at that time may the Node to which the Pod is bound </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> can be fetched. The Kubernetes API allows specifically the projection of annotations from these </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> Binding resources to the Pods which are their subject. This policy watches for then mutates </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> the /binding subresource of a Pod to add an annotation named `foo` the value of which comes </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> from the bound Node&#39;s label also called `foo`. Use of this policy may require removal of the </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> Binding resourceFilter in Kyverno&#39;s ConfigMap.</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">project-foo</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">Pod/binding</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">node</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.target.name</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">foolabel</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/nodes/{{node}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">metadata.labels.foo || &#39;empty&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">foo</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ foolabel }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/mutate-large-termination-gps/mutate-large-termination-gps/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/mutate-large-termination-gps/mutate-large-termination-gps/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/mutate-large-termination-gps/mutate-large-termination-gps.yaml" target="-blank">/other/mutate-large-termination-gps/mutate-large-termination-gps.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mutate-termination-grace-period-seconds</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Mutate termination Grace Periods Seconds</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pods with large terminationGracePeriodSeconds (tGPS) might prevent cluster nodes </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> from getting drained, ultimately making the whole cluster unstable. This policy </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> mutates all incoming Pods to set their tGPS under 50s. If the user creates a pod </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> without specifying tGPS, then the Kubernetes default of 30s is maintained.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mutate-termination-grace-period-seconds</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.terminationGracePeriodSeconds || `0` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">50</span><span class="w"> </span><span class="c"># maximum tGPS allowed by cluster admin</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">terminationGracePeriodSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">50</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/namespace-inventory-check/namespace-inventory-check/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/namespace-inventory-check/namespace-inventory-check/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/namespace-inventory-check/namespace-inventory-check.yaml" target="-blank">/other/namespace-inventory-check/namespace-inventory-check.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespace-inventory-check</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace Inventory Check</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In cases such as multi-tenancy where new Namespaces must be fully </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> provisioned before they can be used, it may not be easy to declare and </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> understand if/when the Namespace is ready. Having a policy which defines </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> all the resources which are required for each Namespace can assist in determining </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> compliance. This policy, expected to be run in background mode only, performs a Namespace </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> inventory check to ensure that all Namespaces have a ResourceQuota and NetworkPolicy. </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> Additional rules may be written to extend the check for your needs. By default, background </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> scans occur every one hour which may be changed with an additional container flag. Please </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> see the installation documentation for details.</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">resourcequotas</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="l">kube-public</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="l">kube-node-lease</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">resourcequotas</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{request.object.metadata.name}}/resourcequotas&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[] | length(@)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Every Namespace must have at least one ResourceQuota.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ resourcequotas }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">networkpolicies</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span>- <span class="l">kube-public</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span>- <span class="l">kube-node-lease</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">netpols</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/networking.k8s.io/v1/namespaces/{{request.object.metadata.name}}/networkpolicies&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[] | length(@)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Every Namespace must have at least one NetworkPolicy.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ netpols }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/namespace-protection/namespace-protection/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/namespace-protection/namespace-protection/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/namespace-protection/namespace-protection.yaml" target="-blank">/other/namespace-protection/namespace-protection.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespace-protection</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace Protection</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Cases where RBAC may be applied at a higher level and where Namespace-level </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> protections may be necessary can be accomplished with a separate policy. For example, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> one may want to protect creates, updates, and deletes on only a single Namespace. This </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> policy will block creates, updates, and deletes to any Namespace labeled with `freeze=true`. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> Caution should be exercised when using rules which match on all kinds (`&#34;*&#34;`) as this will </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> involve, for larger clusters, a substantial amount of processing on Kyverno&#39;s part. Additional </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> resource requests and/or limits may be required.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-freeze</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">namespaceSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">matchExpressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">freeze</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">In</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;This Namespace is frozen and no modifications may be performed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/nfs-subdir-external-provisioner-storage-path/nfs-subdir-external-provisioner-storage-path/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/nfs-subdir-external-provisioner-storage-path/nfs-subdir-external-provisioner-storage-path/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/nfs-subdir-external-provisioner-storage-path/nfs-subdir-external-provisioner-storage-path.yaml" target="-blank">/other/nfs-subdir-external-provisioner-storage-path/nfs-subdir-external-provisioner-storage-path.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">nfs-subdir-external-provisioner-storage-path</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">NFS Subdirectory External Provisioner Enforce Storage Path</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PersistentVolumeClaim</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The NFS subdir external provisioner project allows defining a StorageClass with a pathPattern, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> a template used to provision subdirectories on NFS exports. This can be controlled with an </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> annotation on a PVC called `nfs.io/storage-path`. This policy ensures that if the StorageClass </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> name `nfs-client` is used by a PVC, corresponding to the NFS subdir external provisioner, and if it sets the nfs.io/storage-path </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> annotation that it cannot be empty, which may otherwise result in it consuming the root of the designated path.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">enforce-storage-path</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">PersistentVolumeClaim</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">nfs.io/storage-path annotation must not be empty.</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">=(annotations)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">=(nfs.io/storage-path)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">&lt;(storageClassName)</span><span class="p">:</span><span class="w"> </span><span class="l">nfs-client</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml" target="-blank">/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">only-trustworthy-registries-set-root</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Only Trustworthy Registries Set Root</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Some containers must be built to run as root in order to function properly, but </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> use of those images should be carefully restricted to prevent unneeded privileges. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy blocks any image that runs as root if it does not come from a trustworthy </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> registry, `ghcr.io` in this case.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">only-allow-trusted-images</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Images with root user are not allowed to be pulled from any registry other than ghcr.io.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imageData</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ imageData.configData.config.User || &#39;&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ imageData.registry }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ghcr.io&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/pdb-maxunavailable/pdb-maxunavailable/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/pdb-maxunavailable/pdb-maxunavailable/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/pdb-maxunavailable/pdb-maxunavailable.yaml" target="-blank">/other/pdb-maxunavailable/pdb-maxunavailable.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pdb-maxunavailable</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">PodDisruptionBudget maxUnavailable Non-Zero</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> A PodDisruptionBudget which sets its maxUnavailable value to zero prevents </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> all voluntary evictions including Node drains which may impact maintenance tasks. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> it must be greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pdb-maxunavailable</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The value of maxUnavailable must be greater than zero.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">=(maxUnavailable)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/pdb-maxunavailable/pdb-maxunavailable/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/pdb-maxunavailable/pdb-maxunavailable/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml" target="-blank">/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pdb-maxunavailable</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">PodDisruptionBudget maxUnavailable Non-Zero in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> A PodDisruptionBudget which sets its maxUnavailable value to zero prevents </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> all voluntary evictions including Node drains which may impact maintenance tasks. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> it must be greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pdb-maxunavailable</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;int(object.spec.?maxUnavailable.orValue(1)) &gt; 0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The value of maxUnavailable must be greater than zero.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/pdb-maxunavailable-with-deployments/pdb-maxunavailable-with-deployments/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/pdb-maxunavailable-with-deployments/pdb-maxunavailable-with-deployments/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/pdb-maxunavailable-with-deployments/pdb-maxunavailable-with-deployments.yaml" target="-blank">/other/pdb-maxunavailable-with-deployments/pdb-maxunavailable-with-deployments.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pdb-maxunavailable-with-deployments</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">PodDisruptionBudget maxUnavailable Non-Zero with Deployments</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.4</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PodDisruptionBudget, Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> A PodDisruptionBudget which sets its maxUnavailable value to zero prevents </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> all voluntary evictions including Node drains which may impact maintenance tasks. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This may be acceptable if there are no matching controllers, but if there are then </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> creation of such a PDB could allow unintended disruption. This policy enforces that </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> a PodDisruptionBudget may not specify the maxUnavailable field as zero if there are </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> any existing matching Deployments having greater than zero replicas.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pdb-maxunavailable</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deploymentreplicas</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">items[?label_match(`{{request.object.spec.selector.matchLabels}}`, spec.template.metadata.labels)] || `[]`</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="l">/apis/apps/v1/namespaces/{{request.namespace}}/deployments</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ regex_match(&#39;&#39;^[0-9]+$&#39;&#39;, &#39;&#39;{{ request.object.spec.maxUnavailable || &#39;&#39;&#39;&#39;}}&#39;&#39;) }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ length(deploymentreplicas) }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> PodDisruptionBudget must not specify maxUnavailable as zero if there are any existing matching Deployments which </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> have replicas numbering greater than zero. There are {{ length(deploymentreplicas) }} Deployments which match this labelSelector </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> having {{ deploymentreplicas[*].spec.replicas }} replicas.</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">deploymentreplicas</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.maxUnavailable }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">LessThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.spec.replicas }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/policy-for-exceptions/policy-for-exceptions/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/policy-for-exceptions/policy-for-exceptions/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/policy-for-exceptions/policy-for-exceptions.yaml" target="-blank">/other/policy-for-exceptions/policy-for-exceptions.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">policy-for-exceptions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Policy for PolicyExceptions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PolicyException</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 13</span><span class="cl"><span class="sd"> A PolicyException grants the applicable resource(s) or subject(s) the ability </span></span></span><span class="line"><span class="ln"> 14</span><span class="cl"><span class="sd"> to bypass an existing Kyverno policy. Care should be taken to ensure that </span></span></span><span class="line"><span class="ln"> 15</span><span class="cl"><span class="sd"> the allowed PolicyExceptions are scoped fine enough and according to your </span></span></span><span class="line"><span class="ln"> 16</span><span class="cl"><span class="sd"> organization&#39;s operation. This is a Kyverno policy intended to provide guardrails </span></span></span><span class="line"><span class="ln"> 17</span><span class="cl"><span class="sd"> for Kyverno PolicyExceptions and contains a number of rules which may help </span></span></span><span class="line"><span class="ln"> 18</span><span class="cl"><span class="sd"> with these scoping best practices. These rules may be changed/removed depending </span></span></span><span class="line"><span class="ln"> 19</span><span class="cl"><span class="sd"> on the exception practices to be implemented.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">single-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 29</span><span class="cl"><span class="w"> </span>- <span class="l">PolicyException</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 32</span><span class="cl"><span class="sd"> An exception is only allowed for a single policy. </span></span></span><span class="line"><span class="ln"> 33</span><span class="cl"><span class="sd"> Please create a separate exception per policy.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 34</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 35</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 36</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 37</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.exceptions[] | length(@)}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 38</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 40</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-match-name</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 41</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 42</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 43</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 44</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 45</span><span class="cl"><span class="w"> </span>- <span class="l">PolicyException</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 46</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 47</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 48</span><span class="cl"><span class="sd"> An exception must explicitly specify a name for a resource match.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 49</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 50</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 51</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 52</span><span class="cl"><span class="w"> </span><span class="nt">=(any)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 53</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 54</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 55</span><span class="cl"><span class="w"> </span><span class="nt">=(all)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 56</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 57</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 58</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-subject</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 59</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 60</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 61</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 62</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 63</span><span class="cl"><span class="w"> </span>- <span class="l">PolicyException</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 64</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 65</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 66</span><span class="cl"><span class="sd"> An exception must explicitly specify a subject which is expected to create the resource.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 67</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 68</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 69</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 70</span><span class="cl"><span class="w"> </span><span class="nt">=(any)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 71</span><span class="cl"><span class="w"> </span>- <span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 72</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 73</span><span class="cl"><span class="w"> </span><span class="nt">=(all)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 74</span><span class="cl"><span class="w"> </span>- <span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 75</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 76</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span>-<span class="l">cross-namespace-exceptions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 77</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 78</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 79</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 80</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 81</span><span class="cl"><span class="w"> </span>- <span class="l">PolicyException</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 82</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 83</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 84</span><span class="cl"><span class="sd"> An exception can only be created in the same Namespace as the resource being excluded.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 85</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 86</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 87</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 88</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.match.[any, all][].resources[].namespaces[] || `[]`}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 89</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 90</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.namespace }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 91</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespaced-exceptions-only</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 92</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 93</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 94</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 95</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 96</span><span class="cl"><span class="w"> </span>- <span class="l">PolicyException</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 97</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 98</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 99</span><span class="cl"><span class="sd"> An exception can only be created for a Namespaced resource, and a Namespace is required.</span><span class="w"> </span></span></span><span class="line"><span class="ln">100</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">101</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.match.[any, all][]</span><span class="w"> </span></span></span><span class="line"><span class="ln">102</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">103</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">104</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">105</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.resources.namespaces[] || `[]` | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">106</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">107</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">108</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">policy-namespace-match-polex-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">109</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">110</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">111</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">112</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">113</span><span class="cl"><span class="w"> </span>- <span class="l">PolicyException</span><span class="w"> </span></span></span><span class="line"><span class="ln">114</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">115</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">116</span><span class="cl"><span class="sd"> An exception may not be provided for a Namespaced Policy in another Namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln">117</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">118</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.exceptions[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">119</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">120</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">121</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.policyName}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">122</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">123</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*/*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">124</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">125</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">126</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">127</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.policyName}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">128</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">129</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.namespace}}/*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/prepend-image-registry/prepend-image-registry/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/prepend-image-registry/prepend-image-registry/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/prepend-image-registry/prepend-image-registry.yaml" target="-blank">/other/prepend-image-registry/prepend-image-registry.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion </span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prepend-registry</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prepend Image Registry</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.21&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Pulling images from outside registries may be undesirable due to untrustworthiness </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> or simply because the traffic results in an excess of bandwidth usage. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Instead of blocking them, they can be mutated to divert to an internal </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> registry which may already contain them or function as a pull-through proxy. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy prepends all images in both containers and initContainers to come </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> from `registry.io`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prepend-registry-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">registry.io/{{ images.containers.&#34;{{element.name}}&#34;.path}}:{{images.containers.&#34;{{element.name}}&#34;.tag}}</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prepend-registry-initcontainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.initContainers[] || &#39;&#39; | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.initContainers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">initContainers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">registry.io/{{ images.initContainers.&#34;{{element.name}}&#34;.path}}:{{images.initContainers.&#34;{{element.name}}&#34;.tag}}</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/prevent-bare-pods/prevent-bare-pods/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/prevent-bare-pods/prevent-bare-pods/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/prevent-bare-pods/prevent-bare-pods.yaml" target="-blank">/other/prevent-bare-pods/prevent-bare-pods.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-bare-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Bare Pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Pods not created by workload controllers such as Deployments </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> have no self-healing or scaling abilities and are unsuitable for production. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy prevents such &#34;bare&#34; Pods from being created unless they originate </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> from a higher-level workload controller of some sort.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">bare-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Bare Pods are not allowed. They must be created by Pod controllers.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">ownerReferences</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.keys(@)}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/prevent-bare-pods/prevent-bare-pods/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/prevent-bare-pods/prevent-bare-pods/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/prevent-bare-pods/prevent-bare-pods.yaml" target="-blank">/other-cel/prevent-bare-pods/prevent-bare-pods.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-bare-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Bare Pods in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Pods not created by workload controllers such as Deployments </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> have no self-healing or scaling abilities and are unsuitable for production. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy prevents such &#34;bare&#34; Pods from being created unless they originate </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> from a higher-level workload controller of some sort.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">bare-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#39;ownerReferences&#39; in object.metadata&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Bare Pods are not allowed. They must be created by Pod controllers.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/prevent-cr8escape/prevent-cr8escape/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/prevent-cr8escape/prevent-cr8escape/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/prevent-cr8escape/prevent-cr8escape.yaml" target="-blank">/other/prevent-cr8escape/prevent-cr8escape.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-cr8escape</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent cr8escape (CVE-2022-0811)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> A vulnerability &#34;cr8escape&#34; (CVE-2022-0811) in CRI-O the container runtime engine </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> underpinning Kubernetes allows attackers to escape from a Kubernetes container </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> and gain root access to the host. The recommended remediation is to disallow </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> sysctl settings with + or = in their value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-sysctls-cr8escape</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;characters &#39;+&#39; or &#39;=&#39; are not allowed in sysctls values&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">=(sysctls)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">=(value)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!*+* &amp; !*=*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/prevent-cr8escape/prevent-cr8escape/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/prevent-cr8escape/prevent-cr8escape/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/prevent-cr8escape/prevent-cr8escape.yaml" target="-blank">/other-cel/prevent-cr8escape/prevent-cr8escape.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-cr8escape</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent cr8escape (CVE-2022-0811) in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> A vulnerability &#34;cr8escape&#34; (CVE-2022-0811) in CRI-O the container runtime engine </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> underpinning Kubernetes allows attackers to escape from a Kubernetes container </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> and gain root access to the host. The recommended remediation is to disallow </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> sysctl settings with + or = in their value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-sysctls-cr8escape</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> object.spec.?securityContext.?sysctls.orValue([]).all(sysctl, </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> !has(sysctl.value) || (!sysctl.value.contains(&#39;+&#39;) &amp;&amp; !sysctl.value.contains(&#39;=&#39;))) </span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;characters &#39;+&#39; or &#39;=&#39; are not allowed in sysctls values&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml" target="-blank">/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-disabling-injection-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Disabling Istio Sidecar Injection</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> One way sidecar injection in an Istio service mesh may be accomplished is by defining </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> thereby reducing visibility. This policy ensures that Pods cannot set the annotation </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> `sidecar.istio.io/inject` to a value of `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prohibit-inject-annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Pods may not disable sidecar injection by setting the annotation sidecar.istio.io/inject to a value of false.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">=(annotations)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">=(sidecar.istio.io/inject)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!false&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml" target="-blank">/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-disabling-injection-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Disabling Istio Sidecar Injection in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> One way sidecar injection in an Istio service mesh may be accomplished is by defining </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> thereby reducing visibility. This policy ensures that Pods cannot set the annotation </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> `sidecar.istio.io/inject` to a value of `false`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prohibit-inject-annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> object.metadata.?annotations[?&#39;sidecar.istio.io/inject&#39;].orValue(&#39;&#39;) != &#39;false&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Pods may not disable sidecar injection by setting the annotation sidecar.istio.io/inject to a value of false.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/prevent-duplicate-hpa/prevent-duplicate-hpa/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/prevent-duplicate-hpa/prevent-duplicate-hpa/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/prevent-duplicate-hpa/prevent-duplicate-hpa.yaml" target="-blank">/other/prevent-duplicate-hpa/prevent-duplicate-hpa.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-duplicate-hpa</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Duplicate HorizontalPodAutoscalers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">HorizontalPodAutoscaler</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> HorizontalPodAutoscaler (HPA) is useful to automatically adjust the number of pods in a deployment </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> or replication controller. It requires defining a specific target resource by kind and name. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> There are no built-in validation checks by the HPA controller to prevent the creation of multiple HPAs </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> which target the same resource. This policy has two rules, the first of which ensures that the only targetRef </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> prevents the creation of duplicate HPAs by validating that any new HPA targets a unique resource.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-kind-name-duplicates</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">HorizontalPodAutoscaler</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> The target kind must be specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet. </span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">scaleTargetRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment | StatefulSet | ReplicaSet | DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-targetref-duplicates</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">HorizontalPodAutoscaler</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="l">ReplicaSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.scaleTargetRef.kind }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">targets</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/autoscaling/v1/namespaces/{{ request.namespace }}/horizontalpodautoscalers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?spec.scaleTargetRef.kind==&#39;{{ request.object.spec.scaleTargetRef.kind }}&#39;].spec.scaleTargetRef.name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="sd"> The target {{ request.object.spec.scaleTargetRef.kind }} named </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="sd"> {{ request.object.spec.scaleTargetRef.name }} already has an existing </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="sd"> HPA configured for it. Duplicate HPAs are not allowed. </span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.scaleTargetRef.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ targets }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/prevent-duplicate-vpa/prevent-duplicate-vpa/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/prevent-duplicate-vpa/prevent-duplicate-vpa/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/prevent-duplicate-vpa/prevent-duplicate-vpa.yaml" target="-blank">/other/prevent-duplicate-vpa/prevent-duplicate-vpa.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-duplicate-vpa</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Duplicate VerticalPodAutoscalers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">VerticalPodAutoscaler</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> It requires defining a specific target resource by kind and name. There are no built-in </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> validation checks by the VPA controller to prevent the creation of multiple VPAs which target </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the same resource. This policy has two rules, the first of which ensures that the only targetRef </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> prevents the creation of duplicate VPAs by validating that any </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> new VPA targets a unique resource.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-kind-name-duplicates</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">VerticalPodAutoscaler</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> The target kind must be specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet.</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">targetRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment | StatefulSet | ReplicaSet | DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-targetref-duplicates</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">VerticalPodAutoscaler</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="l">ReplicaSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.targetRef.kind }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">targets</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/autoscaling.k8s.io/v1/namespaces/{{ request.namespace }}/verticalpodautoscalers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?spec.targetRef.kind==&#39;{{ request.object.spec.targetRef.kind }}&#39;].spec.targetRef.name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="sd"> The target {{ request.object.spec.targetRef.kind }} named </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="sd"> {{ request.object.spec.targetRef.name }} already has an existing </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="sd"> VPA configured for it. Duplicate VPAs are not allowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.targetRef.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ targets }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml" target="-blank">/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-linkerd-pod-injection-override</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Linkerd Pod Injection Override</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Linkerd</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> `disabled` may effectively disable mesh participation for that workload reducing </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> security and visibility. This policy prevents setting the annotation `linkerd.io/inject` </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> to `disabled` for Pods.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pod-injection-override</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Pods may not disable sidecar injection.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">=(annotations)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">=(linkerd.io/inject)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!disabled&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml" target="-blank">/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-linkerd-pod-injection-override</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Linkerd Pod Injection Override in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Linkerd in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> `disabled` may effectively disable mesh participation for that workload reducing </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> security and visibility. This policy prevents setting the annotation `linkerd.io/inject` </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> to `disabled` for Pods.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pod-injection-override</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.metadata.?annotations[?&#39;linkerd.io/inject&#39;].orValue(&#39;&#39;) != &#39;disabled&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Pods may not disable sidecar injection.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml" target="-blank">/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-linkerd-port-skipping</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Linkerd Port Skipping</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Linkerd</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> them from mTLS. This can be important in some narrow use cases but </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> generally should be avoided. This policy prevents Pods from setting </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pod-prevent-port-skipping</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Pods may not skip ports. The annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports` must not be set.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">=(annotations)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">X(config.linkerd.io/skip-inbound-ports)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">X(config.linkerd.io/skip-outbound-ports)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml" target="-blank">/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-linkerd-port-skipping</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Linkerd Port Skipping in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Linkerd in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> them from mTLS. This can be important in some narrow use cases but </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> generally should be avoided. This policy prevents Pods from setting </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pod-prevent-port-skipping</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> !has(object.metadata.annotations) || </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> (!(&#39;config.linkerd.io/skip-inbound-ports&#39; in object.metadata.annotations) &amp;&amp; !(&#39;config.linkerd.io/skip-outbound-ports&#39; in object.metadata.annotations))</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Pods may not skip ports. The annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports` must not be set.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/argo/application-prevent-updates-project/application-prevent-updates-project/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/argo/application-prevent-updates-project/application-prevent-updates-project/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//argo/application-prevent-updates-project/application-prevent-updates-project.yaml" target="-blank">/argo/application-prevent-updates-project/application-prevent-updates-project.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">application-prevent-updates-project</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Updates to Project</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Argo</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy prevents updates to the project field after an Application is created.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">project-updates</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The spec.project cannot be changed once the Application is created.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.project}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.oldObject.spec.project}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/argo-cel/application-prevent-updates-project/application-prevent-updates-project/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/argo-cel/application-prevent-updates-project/application-prevent-updates-project/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//argo-cel/application-prevent-updates-project/application-prevent-updates-project.yaml" target="-blank">/argo-cel/application-prevent-updates-project/application-prevent-updates-project.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">application-prevent-updates-project</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Updates to Project in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Argo in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy prevents updates to the project field after an Application is created.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">project-updates</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;operation-should-be-update&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.operation == &#39;UPDATE&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.project == oldObject.spec.project&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The spec.project cannot be changed once the Application is created.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/argo/application-prevent-default-project/application-prevent-default-project/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/argo/application-prevent-default-project/application-prevent-default-project/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//argo/application-prevent-default-project/application-prevent-default-project.yaml" target="-blank">/argo/application-prevent-default-project/application-prevent-default-project.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">application-prevent-default-project</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Use of Default Project</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Argo</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy prevents the use of the default project in an Application.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-project</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The default project may not be used in an Application.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">project</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!default&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/argo-cel/application-prevent-default-project/application-prevent-default-project/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/argo-cel/application-prevent-default-project/application-prevent-default-project/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//argo-cel/application-prevent-default-project/application-prevent-default-project.yaml" target="-blank">/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">application-prevent-default-project</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Prevent Use of Default Project in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Argo in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy prevents the use of the default project in an Application.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-project</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?project.orValue(&#39;&#39;) != &#39;default&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The default project may not be used in an Application.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/protect-node-taints/protect-node-taints/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/protect-node-taints/protect-node-taints/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/protect-node-taints/protect-node-taints.yaml" target="-blank">/other/protect-node-taints/protect-node-taints.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">protect-node-taints</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Protect Node Taints</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Node taints are often used as a control in multi-tenant use cases. </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> If users can alter them, they may be able to affect scheduling of </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Pods which may impact other workloads. This sample prohibits </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> altering of node taints unless by a user holding the `cluster-admin` </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> ClusterRole. Use of this policy requires removal of the Node resource filter </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> in the Kyverno ConfigMap ([Node,*,*]). Due to Kubernetes CVE-2021-25735, this policy </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> requires, at minimum, one of the following versions of Kubernetes: </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> v1.18.18, v1.19.10, v1.20.6, or v1.21.0.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">protect-node-taints</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">clusterRoles</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">cluster-admin</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Node taints may not be altered.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.taints}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.oldObject.spec.taints}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.taints}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/record-creation-details/record-creation-details/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/record-creation-details/record-creation-details/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/record-creation-details/record-creation-details.yaml" target="-blank">/other/record-creation-details/record-creation-details.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">record-creation-details</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Record Creation Details</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Kubernetes by default does not make a record of who or what </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> created a resource in that resource itself. It must be retrieved from </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> an audit log, if enabled, which can make it difficult for cluster </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> operators to know who was responsible for an object&#39;s creation. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> This policy writes an annotation with the key `kyverno.io/created-by` </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> having all the userInfo fields present in the AdmissionReview request </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> for any object being created. It then protects this annotation from </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> tampering or removal making it immutable. Although this policy matches on </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> all kinds (&#34;*&#34;) it is highly recommend to more narrowly scope it to only </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="sd"> the resources which should be labeled.</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">add-userinfo</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="s1">&#39;*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/created-by</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.userInfo.{groups: groups, username: username} | to_string(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-updates-deletes-userinfo-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="s1">&#39;*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.oldObject.metadata.annotations.\&#34;kyverno.io/created-by\&#34; || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The annotation kyverno.io/created-by is protected and may not be altered or removed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.annotations.\&#34;kyverno.io/created-by\&#34; || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.annotations.\&#34;kyverno.io/created-by\&#34; || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.oldObject.metadata.annotations.\&#34;kyverno.io/created-by\&#34; }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/refresh-env-var-in-pod/refresh-env-var-in-pod/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/refresh-env-var-in-pod/refresh-env-var-in-pod/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/refresh-env-var-in-pod/refresh-env-var-in-pod.yaml" target="-blank">/other/refresh-env-var-in-pod/refresh-env-var-in-pod.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">refresh-env-var-in-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Refresh Environment Variables in Pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,Deployment,Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> When Pods consume Secrets or ConfigMaps through environment variables, should the contents </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> of those source resources change, the downstream Pods are normally not aware of them. In order </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> for the changes to be reflected, Pods must either restart or be respawned. This policy watches </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> for changes to Secrets which have been marked for this refreshing process which contain the label </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> `kyverno.io/watch=true` and will write an annotation to any Deployment Pod template which consume </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> them as env vars. This will result in a new rollout of Pods which will pick up the changed values. </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> See the related policy entitled &#34;Refresh Volumes in Pods&#34; for a similar reloading process when ConfigMaps </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> and Secrets are consumed as volumes instead. Use of this policy may require providing the Kyverno ServiceAccount </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> with permission to update Deployments.</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">mutateExistingOnPolicyUpdate</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">refresh-from-secret-env</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/watch</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">apps/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">corp.org/random</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ random(&#39;[0-9a-z]{8}&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="nt">valueFrom</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">secretKeyRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">&lt;(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.name }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/refresh-volumes-in-pods/refresh-volumes-in-pods/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/refresh-volumes-in-pods/refresh-volumes-in-pods/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/refresh-volumes-in-pods/refresh-volumes-in-pods.yaml" target="-blank">/other/refresh-volumes-in-pods/refresh-volumes-in-pods.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">refresh-volumes-in-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Refresh Volumes in Pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Although ConfigMaps and Secrets mounted as volumes to a Pod, when the contents change, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> will eventually propagate to the Pods mounting them, this process may take between 60-90 seconds. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> In order to reduce that time, a modification made to downstream Pods will cause the changes </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> to take effect almost instantly. This policy watches for changes to ConfigMaps which have been </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> marked for this quick reloading process which contain the label `kyverno.io/watch=true` and </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> will write an annotation to any Pods which mount them as volumes causing a fast refresh in their </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> contents. See the related policy entitled &#34;Refresh Environment Variables in Pods&#34; for a similar </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> reloading process when ConfigMaps and Secrets are consumed as environment variables instead. </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> Use of this policy may require providing the Kyverno ServiceAccount with permission </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="sd"> to update Pods.</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">mutateExistingOnPolicyUpdate</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">refresh-from-configmap-volume</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/watch</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.namespace }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">corp.org/random</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ random(&#39;[0-9a-z]{8}&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="nt">configMap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">&lt;(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.name }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/remove-hostpath-volumes/remove-hostpath-volumes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/remove-hostpath-volumes/remove-hostpath-volumes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/remove-hostpath-volumes/remove-hostpath-volumes.yaml" target="-blank">/other/remove-hostpath-volumes/remove-hostpath-volumes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">remove-hostpath-volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Remove hostPath Volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,Volume</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.25&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pods which mount hostPath volumes are provided access to the underlying filesystem </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> of the Node on which they run. In most scenarios, this should be forbidden. In others, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> it may be useful to silently remove those hostPath volumes rather than blocking the Pod. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy removes all hostPath volumes and their volumeMount references from all containers </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> within a Pod.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">remove-hostpath-all</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hostpathvolnames</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.volumes[?hostPath].name</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ length(hostpathvolnames) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.volumes[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">order</span><span class="p">:</span><span class="w"> </span><span class="l">Descending</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">hostPath</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.keys(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> - path: /spec/volumes/{{elementIndex}} </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> op: remove</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.containers[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34; element.volumeMounts || `[]` &#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">order</span><span class="p">:</span><span class="w"> </span><span class="l">Descending</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ hostpathvolnames }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="sd"> - path: /spec/containers/{{elementIndex0}}/volumeMounts/{{elementIndex1}} </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="sd"> op: remove</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/remove-serviceaccount-token/remove-serviceaccount-token/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/remove-serviceaccount-token/remove-serviceaccount-token/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/remove-serviceaccount-token/remove-serviceaccount-token.yaml" target="-blank">/other/remove-serviceaccount-token/remove-serviceaccount-token.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">remove-serviceaccount-token</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Remove ServiceAccount Token</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,ServiceAccount,Volume</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.25&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pods running with a ServiceAccount are presented with a volume, containing </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the token, and volume mounts for all containers in the Pod. Applications that </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> do not need to communicate with the Kubernetes API do not need a ServiceAccount and </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> therefore limiting which Pods have access rights is important. Rather than, or in addition to, </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> requiring that certain Pods disable mounting of a ServiceAccount, it is possible to silently </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> remove this token if it has been presented. This policy ensures that Pods which do not </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> have the label `corp.org/can-use-serviceaccount` and are consuming a ServiceAccount </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> have that stripped away. It should be customized to restrict the scope of its operation as it </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> will not distinguish between an explicitly-defined ServiceAccount or one provided by default.</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">remove-vol-volmount</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">matchExpressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">corp.org/can-use-serviceaccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">DoesNotExist</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">tokenvolname</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.volumes[?projected].name[?starts_with(@,&#39;kube-api-access-&#39;)] | [0] || &#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ tokenvolname }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.volumes[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">order</span><span class="p">:</span><span class="w"> </span><span class="l">Descending</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">projected</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.keys(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;kube-api-access-*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="sd"> - path: /spec/volumes/{{elementIndex}} </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="sd"> op: remove</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.containers[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">element.volumeMounts</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">order</span><span class="p">:</span><span class="w"> </span><span class="l">Descending</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ tokenvolname }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="sd"> - path: /spec/containers/{{elementIndex0}}/volumeMounts/{{elementIndex1}} </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="sd"> op: remove</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/replace-image-registry/replace-image-registry/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/replace-image-registry/replace-image-registry/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/replace-image-registry/replace-image-registry.yaml" target="-blank">/other/replace-image-registry/replace-image-registry.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">replace-image-registry</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Replace Image Registry</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Rather than blocking Pods which come from outside registries, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> it is also possible to mutate them so the pulls are directed to </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> approved registries. In some cases, those registries may function as </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> pull-through proxies and can fetch the image if not cached. </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> This policy mutates all images either in the form &#39;image:tag&#39; or </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> &#39;registry.corp.com/image:tag&#39; to be `myregistry.corp.com/`. Any </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> path in the image name will be preserved. Note that this mutates Pods </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> directly and not their controllers. It can be changed if desired but </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="sd"> if so may need to not match on Pods. </span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">replace-image-registry-pod-containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ regex_replace_all(&#39;^(localhost/|(?:[a-z0-9]+\\.)+[a-z0-9]+/)?(.*)$&#39;, &#39;{{element.image}}&#39;, &#39;myregistry.corp.com/$2&#39; )}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">replace-image-registry-pod-initcontainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.initContainers[] || `[]` | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.initContainers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">initContainers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ regex_replace_all(&#39;^(localhost/|(?:[a-z0-9]+\\.)+[a-z0-9]+/)?(.*)$&#39;, &#39;{{element.image}}&#39;, &#39;myregistry.corp.com/$2&#39; )}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml" target="-blank">/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">replace-image-registry-with-harbor</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Replace Image Registry With Harbor</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Some registries like Harbor offer pull-through caches for images from certain registries. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Images can be re-written to be pulled from the redirected registry instead of the original and </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the registry will proxy pull the image, adding it to its internal cache. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> The imageData context variable in this policy provides a normalized view </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> of the container image, allowing the policy to make decisions based on various </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> &#34;live&#34; image details. As a result, it requires access to the source registry and the existence </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> of the target image to verify those details.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">redirect-docker</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.initContainers[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imageData</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{imageData.registry}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">index.docker.io</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">initContainers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}}</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.containers[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imageData</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{imageData.registry}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">index.docker.io</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}}</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/replace-ingress-hosts/replace-ingress-hosts/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/replace-ingress-hosts/replace-ingress-hosts/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/replace-ingress-hosts/replace-ingress-hosts.yaml" target="-blank">/other/replace-ingress-hosts/replace-ingress-hosts.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">replace-ingress-hosts</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Replace Ingress Hosts</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> An Ingress may specify host names at a variety of locations in the same resource. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> In some cases, those host names should be modified to, for example, update domain names </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> silently. The replacement must be done in all the fields where a host name can be specified. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy, illustrating the use of nested foreach loops and operable in Kyverno 1.9+, replaces </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> host names that end with `old.com` with `new.com`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">replace-old-with-new</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.rules</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> - path: /spec/rules/{{elementIndex}}/host </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> op: replace </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> value: {{replace_all(&#39;{{element.host}}&#39;, &#39;.old.com&#39;, &#39;.new.com&#39;)}}</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.tls[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;element.hosts&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> - path: /spec/tls/{{elementIndex0}}/hosts/{{elementIndex1}} </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> op: replace </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> value: &#34;{{ replace_all(&#39;{{element}}&#39;, &#39;.old.com&#39;, &#39;.new.com&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.tls[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> - path: /spec/tls/{{elementIndex}}/secretName </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> op: replace </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> value: &#34;{{ replace_all(&#39;{{element.secretName}}&#39;, &#39;.old.com&#39;, &#39;.new.com&#39;) }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-annotations/require-annotations/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-annotations/require-annotations/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-annotations/require-annotations.yaml" target="-blank">/other/require-annotations/require-annotations.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Define and use annotations that identify semantic attributes of your application or Deployment. </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> A common set of annotations allows tools to work collaboratively, describing objects in a common manner that </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> all tools can understand. The recommended annotations describe applications in a way that can be </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> queried. This policy validates that the annotation `corp.org/department` is specified with some value. </span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-for-annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The annotation `corp.org/department` is required.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">corp.org/department</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-annotations/require-annotations/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-annotations/require-annotations/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/require-annotations/require-annotations.yaml" target="-blank">/other-cel/require-annotations/require-annotations.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Annotations in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Define and use annotations that identify semantic attributes of your application or Deployment. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> A common set of annotations allows tools to work collaboratively, describing objects in a common manner that </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> all tools can understand. The recommended annotations describe applications in a way that can be </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> queried. This policy validates that the annotation `corp.org/department` is specified with some value. </span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-for-annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> object.metadata.?annotations[?&#39;corp.org/department&#39;].orValue(&#39;&#39;) != &#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The annotation `corp.org/department` is required.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/aws/require-aws-node-irsa/require-aws-node-irsa/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/aws/require-aws-node-irsa/require-aws-node-irsa/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//aws/require-aws-node-irsa/require-aws-node-irsa.yaml" target="-blank">/aws/require-aws-node-irsa/require-aws-node-irsa.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-aws-node-irsa</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require aws-node DaemonSet use IRSA</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">AWS, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> According to EKS best practices, the `aws-node` DaemonSet is configured to use </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> a role assigned to the EC2 instances to assign IPs to Pods. This role includes </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> several AWS managed policies that effectively allow all Pods running on a Node </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> to attach/detach ENIs, assign/unassign IP addresses, or pull images from ECR. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> Since this presents a risk to your cluster, it is recommended that you update </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> the `aws-node` DaemonSet to use IRSA. This policy ensures that the `aws-node` DaemonSet </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> running in the `kube-system` Namespace is not still using the `aws-node` ServiceAccount.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-node-daemonset-irsa</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">aws-node</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Update the aws-node daemonset to use IRSA.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">serviceAccountName</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!aws-node&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-container-port-names/require-container-port-names/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-container-port-names/require-container-port-names/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-container-port-names/require-container-port-names.yaml" target="-blank">/other/require-container-port-names/require-container-port-names.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-container-port-names</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Container Port Names</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Containers may define ports on which they listen. In addition to a port number, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> a name field may optionally be used. Including a name makes it easier when defining </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Service resource definitions and others since the name may be referenced allowing </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the port number to change. This policy requires that for every containerPort defined </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> there is also a name specified. </span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">port-name</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Name is required for every containerPort.</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">=(ports)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-container-port-names/require-container-port-names/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-container-port-names/require-container-port-names/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/require-container-port-names/require-container-port-names.yaml" target="-blank">/other-cel/require-container-port-names/require-container-port-names.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-container-port-names</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Container Port Names in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Containers may define ports on which they listen. In addition to a port number, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> a name field may optionally be used. Including a name makes it easier when defining </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Service resource definitions and others since the name may be referenced allowing </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the port number to change. This policy requires that for every containerPort defined </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> there is also a name specified. </span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">port-name</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers.all(container, container.?ports.orValue([]).all(port, has(port.name)))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Name is required for every containerPort.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-cpu-limits/require-cpu-limits/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-cpu-limits/require-cpu-limits/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-cpu-limits/require-cpu-limits.yaml" target="-blank">/other/require-cpu-limits/require-cpu-limits.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-cpu-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require CPU Limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Setting CPU limits on containers ensures fair distribution of resources, preventing any single container from monopolizing CPU and impacting the performance of other containers. This practice enhances stability, predictability, and cost control, while also mitigating the noisy neighbor problem and facilitating efficient scaling in Kubernetes clusters. This policy ensures that cpu limits are set on every container.</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-cpu-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;CPU limits are required for all containers.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">=(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">=(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml" target="-blank">/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-encryption-aws-loadbalancers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Encryption with AWS LoadBalancers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">AWS, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.3</span><span class="p">,</span><span class="w"> </span><span class="m">1.8.0</span>-<span class="l">rc2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23-1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Services of type LoadBalancer when deployed inside AWS have support for </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> transport encryption if it is enabled via an annotation. This policy requires </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> that Services of type LoadBalancer contain the annotation </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">aws-loadbalancer-has-ssl-cert</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">service.beta.kubernetes.io/aws-load-balancer-ssl-cert</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">(spec)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">(type)</span><span class="p">:</span><span class="w"> </span><span class="l">LoadBalancer</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml" target="-blank">/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-encryption-aws-loadbalancers</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Encryption with AWS LoadBalancers in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">AWS, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Services of type LoadBalancer when deployed inside AWS have support for </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> transport encryption if it is enabled via an annotation. This policy requires </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> that Services of type LoadBalancer contain the annotation </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">aws-loadbalancer-has-ssl-cert</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;type-should-be-load-balancer&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.type == &#39;LoadBalancer&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> object.metadata.?annotations[?&#39;service.beta.kubernetes.io/aws-load-balancer-ssl-cert&#39;].orValue(&#39;&#39;) != &#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-image-source/require-image-source/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-image-source/require-image-source/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-image-source/require-image-source.yaml" target="-blank">/other/require-image-source/require-image-source.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-image-source</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Image Source</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Images can be built from a variety of source control locations and </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the name does not necessarily indicate this mapping. Ensuring that known good </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> repositories are the source of images helps ensure supply chain security. This </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> policy checks the container images and ensures that they specify the source in </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> either a label `org.opencontainers.image.source` or a newer annotation in the </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> manifest of the same name.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-source</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The image source must be specified in a label or annotation.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imageData</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{labels: configData.config.Labels, annotations: manifest.annotations}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ imageData.labels.\&#34;org.opencontainers.image.source\&#34; || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*?&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ imageData.annotations.\&#34;org.opencontainers.image.source\&#34; || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*?&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-vulnerability-scan/require-vulnerability-scan/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-vulnerability-scan/require-vulnerability-scan/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-vulnerability-scan/require-vulnerability-scan.yaml" target="-blank">/other/require-vulnerability-scan/require-vulnerability-scan.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-vulnerability-scan</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Image Vulnerability Scans</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Software Supply Chain Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.3</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> An important part of ensuring software supply chain integrity is performing </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> periodic vulnerability scans on images. Initial scans as part of the build process </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> is necessary, but as new vulnerabilities are discovered the scans must be refreshed. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy ensures that images, signed with Cosign&#39;s keyless ability during a GitHub </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> Actions workflow, have attested vulnerability scans not older than one week. This </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> policy is expected to be customized based upon your signing strategy and applicable to </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> the images you designate.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">webhookTimeoutSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">10</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">failurePolicy</span><span class="p">:</span><span class="w"> </span><span class="l">Fail</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">scan-not-older-than-one-week</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">verifyImages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">imageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;ghcr.io/myorg/myrepo:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">attestations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">predicateType</span><span class="p">:</span><span class="w"> </span><span class="l">cosign.sigstore.dev/attestation/vuln/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">keyless</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">subject</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://github.com/myorg/myrepo/.github/workflows/*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">issuer</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://token.actions.githubusercontent.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">rekor</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l">https://rekor.sigstore.dev</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ time_since(&#39;&#39;,&#39;{{metadata.scanFinishedOn}}&#39;,&#39;&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">LessThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;168h&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/imagepullpolicy-always/imagepullpolicy-always/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/imagepullpolicy-always/imagepullpolicy-always/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/imagepullpolicy-always/imagepullpolicy-always.yaml" target="-blank">/other/imagepullpolicy-always/imagepullpolicy-always.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imagepullpolicy-always</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require imagePullPolicy Always</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> If the `latest` tag is allowed for images, it is a good idea to have the </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> when the `latest` tag is specified explicitly or where a tag is not defined at all.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imagepullpolicy-always</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="sd"> The imagePullPolicy must be set to `Always` when the tag `latest` is used.</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">(image)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*:latest | !*:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">imagePullPolicy</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Always&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/imagepullpolicy-always/imagepullpolicy-always/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/imagepullpolicy-always/imagepullpolicy-always/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml" target="-blank">/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imagepullpolicy-always</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require imagePullPolicy Always in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> If the `latest` tag is allowed for images, it is a good idea to have the </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> when the `latest` tag is specified explicitly or where a tag is not defined at all.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">imagepullpolicy-always</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> object.spec.containers.all(container, </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> (container.image.endsWith(&#39;:latest&#39;) || !container.image.contains(&#39;:&#39;)) ? </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> container.imagePullPolicy == &#39;Always&#39; : true)</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> The imagePullPolicy must be set to `Always` when the tag `latest` is used.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-imagepullsecrets/require-imagepullsecrets/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-imagepullsecrets/require-imagepullsecrets/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-imagepullsecrets/require-imagepullsecrets.yaml" target="-blank">/other/require-imagepullsecrets/require-imagepullsecrets.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-imagepullsecrets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require imagePullSecrets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Some registries, both public and private, require credentials in order to pull images </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> from them. This policy checks those images and if they come from a registry </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> other than ghcr.io or quay.io an `imagePullSecret` is required.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-for-image-pull-secrets</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ images.containers.*.registry }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ghcr.io</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">quay.io</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;An `imagePullSecret` is required when pulling from this registry.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">imagePullSecrets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-image-checksum/require-image-checksum/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-image-checksum/require-image-checksum/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-image-checksum/require-image-checksum.yaml" target="-blank">/other/require-image-checksum/require-image-checksum.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-image-checksum</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Images Use Checksums</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Use of a SHA checksum when pulling an image is often preferable because tags are mutable and can be overwritten. This policy checks to ensure that all images use SHA checksums rather than tags.</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-image-checksum</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Images must use checksums rather than tags.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*@*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*@*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*@*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-image-checksum/require-image-checksum/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-image-checksum/require-image-checksum/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/require-image-checksum/require-image-checksum.yaml" target="-blank">/other-cel/require-image-checksum/require-image-checksum.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-image-checksum</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Images Use Checksums in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Use of a SHA checksum when pulling an image is often preferable because tags </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> are mutable and can be overwritten. This policy checks to ensure that all images </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> use SHA checksums rather than tags.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-image-checksum</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers.all(container, container.image.contains(&#39;@&#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Images must use checksums rather than tags.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-ingress-https/require-ingress-https/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-ingress-https/require-ingress-https/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-ingress-https/require-ingress-https.yaml" target="-blank">/other/require-ingress-https/require-ingress-https.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-ingress-https</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Ingress HTTPS</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Ingress resources should only allow secure traffic by disabling </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> HTTP and therefore only allowing HTTPS. This policy requires that all </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Ingress resources set the annotation `kubernetes.io/ingress.allow-http` to </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> `&#34;false&#34;` and specify TLS in the spec.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">has-annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The kubernetes.io/ingress.allow-http annotation must be set to false.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">kubernetes.io/ingress.allow-http</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">has-tls</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;TLS must be defined.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">tls</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.keys(@) }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-ingress-https/require-ingress-https/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-ingress-https/require-ingress-https/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/require-ingress-https/require-ingress-https.yaml" target="-blank">/other-cel/require-ingress-https/require-ingress-https.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-ingress-https</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Ingress HTTPS in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Ingress resources should only allow secure traffic by disabling </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> HTTP and therefore only allowing HTTPS. This policy requires that all </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Ingress resources set the annotation `kubernetes.io/ingress.allow-http` to </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> `&#34;false&#34;` and specify TLS in the spec.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">has-annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> object.metadata.?annotations[?&#39;kubernetes.io/ingress.allow-http&#39;].orValue(&#39;default&#39;) == &#39;false&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The kubernetes.io/ingress.allow-http annotation must be set to false.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">has-tls</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has(object.spec.tls)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;TLS must be defined.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio/require-authorizationpolicy/require-authorizationpolicy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio/require-authorizationpolicy/require-authorizationpolicy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio/require-authorizationpolicy/require-authorizationpolicy.yaml" target="-blank">/istio/require-authorizationpolicy/require-authorizationpolicy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-authorizationpolicies</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Istio AuthorizationPolicies</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">AuthorizationPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> An AuthorizationPolicy is used to provide access controls for traffic in the mesh and </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> can be defined at multiple levels. For the Namespace level, all Namespaces should have </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> at least one AuthorizationPolicy. This policy, designed to run in background mode for reporting </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> purposes, ensures every Namespace has at least one AuthorizationPolicy.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-authz-pol</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allauthorizationpolicies</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/security.istio.io/v1beta1/authorizationpolicies&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[].metadata.namespace&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;All Namespaces must have an AuthorizationPolicy.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{allauthorizationpolicies}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kubecost/require-kubecost-labels/require-kubecost-labels/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kubecost/require-kubecost-labels/require-kubecost-labels/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kubecost/require-kubecost-labels/require-kubecost-labels.yaml" target="-blank">/kubecost/require-kubecost-labels/require-kubecost-labels.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-kubecost-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Kubecost Labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Kubecost</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Label</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.25&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Kubecost can use labels assigned to Pods in order to track and display </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> cost allocation in a granular way. These labels, which can be customized, can be used </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to organize and group workloads in different ways. This policy requires that the labels </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> `owner`, `team`, `department`, `app`, and `env` are all defined on Pods. With Kyverno </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> autogen enabled (absence of the annotation `pod-policies.kyverno.io/autogen-controllers=none`), </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> these labels will also be required for all Pod controllers.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The Kubecost labels `owner`, `team`, `department`, `app`, and `env` are all required for Pods.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">owner</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">team</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">department</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kubecost-cel/require-kubecost-labels/require-kubecost-labels/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kubecost-cel/require-kubecost-labels/require-kubecost-labels/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml" target="-blank">/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-kubecost-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Kubecost Labels in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Kubecost in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Label</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Kubecost can use labels assigned to Pods in order to track and display </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> cost allocation in a granular way. These labels, which can be customized, can be used </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to organize and group workloads in different ways. This policy requires that the labels </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> `owner`, `team`, `department`, `app`, and `env` are all defined on Pods. With Kyverno </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> autogen enabled (absence of the annotation `pod-policies.kyverno.io/autogen-controllers=none`), </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> these labels will also be required for all Pod controllers.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> object.metadata.?labels.?owner.orValue(&#39;&#39;) != &#39;&#39; &amp;&amp; </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> object.metadata.?labels.?team.orValue(&#39;&#39;) != &#39;&#39; &amp;&amp; </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> object.metadata.?labels.?department.orValue(&#39;&#39;) != &#39;&#39; &amp;&amp; </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> object.metadata.?labels.?app.orValue(&#39;&#39;) != &#39;&#39; &amp;&amp; </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> object.metadata.?labels.?env.orValue(&#39;&#39;) != &#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The Kubecost labels `owner`, `team`, `department`, `app`, and `env` are all required for Pods.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/require-labels/require-labels/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/require-labels/require-labels/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/require-labels/require-labels.yaml" target="-blank">/best-practices/require-labels/require-labels.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Label</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Define and use labels that identify semantic attributes of your application or Deployment. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> A common set of labels allows tools to work collaboratively, describing objects in a common manner that </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> all tools can understand. The recommended labels describe applications in a way that can be </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-for-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The label `app.kubernetes.io/name` is required.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/require-labels/require-labels/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/require-labels/require-labels/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/require-labels/require-labels.yaml" target="-blank">/best-practices-cel/require-labels/require-labels.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Labels in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Label</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Define and use labels that identify semantic attributes of your application or Deployment. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> A common set of labels allows tools to work collaboratively, describing objects in a common manner that </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> all tools can understand. The recommended labels describe applications in a way that can be </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-for-labels</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> object.metadata.?labels[?&#39;app.kubernetes.io/name&#39;].orValue(&#39;&#39;) != &#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The label `app.kubernetes.io/name` is required.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/require-pod-requests-limits/require-pod-requests-limits/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/require-pod-requests-limits/require-pod-requests-limits/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml" target="-blank">/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-requests-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Limits and Requests</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> As application workloads share cluster resources, it is important to limit resources </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> requested and consumed by each Pod. It is recommended to require resource requests and </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> defaults will automatically be applied to each Pod based on the LimitRange configuration. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy validates that all containers have something specified for memory and CPU </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> requests and memory limits.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-resources</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;CPU and memory resource requests and memory limits are required for containers.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/require-pod-requests-limits/require-pod-requests-limits/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/require-pod-requests-limits/require-pod-requests-limits/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/require-pod-requests-limits/require-pod-requests-limits.yaml" target="-blank">/best-practices-cel/require-pod-requests-limits/require-pod-requests-limits.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-requests-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Limits and Requests in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> As application workloads share cluster resources, it is important to limit resources </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> requested and consumed by each Pod. It is recommended to require resource requests and </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> defaults will automatically be applied to each Pod based on the LimitRange configuration. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy validates that all containers have something specified for memory and CPU </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> requests and memory limits.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-resources</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> object.spec.containers.all(container, </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> has(container.resources) &amp;&amp; </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> has(container.resources.requests) &amp;&amp; </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> has(container.resources.requests.memory) &amp;&amp; </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> has(container.resources.requests.cpu) &amp;&amp; </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> has(container.resources.limits) &amp;&amp; </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> has(container.resources.limits.memory))</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;CPU and memory resource requests and limits are required.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml" target="-blank">/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-linkerd-mesh-injection</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Linkerd Mesh Injection</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Linkerd</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace, Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Sidecar proxy injection in Linkerd may be handled at the Namespace level by </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-mesh-annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;All Namespaces must set the annotation `linkerd.io/inject` to `enabled`.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">linkerd.io/inject</span><span class="p">:</span><span class="w"> </span><span class="l">enabled</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml" target="-blank">/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-linkerd-mesh-injection</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Linkerd Mesh Injection in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Linkerd in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace, Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Sidecar proxy injection in Linkerd may be handled at the Namespace level by </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-mesh-annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.metadata.?annotations[?&#39;linkerd.io/inject&#39;].orValue(&#39;&#39;) == &#39;enabled&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;All Namespaces must set the annotation `linkerd.io/inject` to `enabled`.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/linkerd/require-linkerd-server/require-linkerd-server/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/linkerd/require-linkerd-server/require-linkerd-server/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//linkerd/require-linkerd-server/require-linkerd-server.yaml" target="-blank">/linkerd/require-linkerd-server/require-linkerd-server.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-linkerd-server</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Linkerd Server</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Linkerd</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, Server</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.8.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> In Linkerd 2.11, a Server resource selects ports on a set of Pods in the </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> same Namespace and is used to deny traffic which then must be authorized later. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Ensuring that Linkerd policy is enforced on Pods in the mesh is important to maintaining </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> a secure environment. This policy, requiring Linkerd 2.11+, has two rules designed to check </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> Deployments (exposing ports) and Services to ensure a corresponding Server resource </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> exists first.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-deployment-has-server</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.template.spec.containers[].ports[] || `[]` | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">server_count</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/policy.linkerd.io/v1beta1/namespaces/{{request.namespace}}/servers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?label_match(spec.podSelector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | length(@)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Every Deployment declaring ports requires a matching Server.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{server_count}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">LessThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-service-has-server</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">server_count</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/policy.linkerd.io/v1beta1/namespaces/{{request.namespace}}/servers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?label_match(spec.podSelector.matchLabels, `{{request.object.spec.selector}}`)] | length(@)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Every Service requires a matching Server.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{server_count}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">LessThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml" target="-blank">/other/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment-has-multiple-replicas</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Multiple Replicas</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Deployments with a single replica cannot be highly available and thus the application </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> may suffer downtime if that one replica goes down. This policy validates that Deployments </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> have more than one replica.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment-has-multiple-replicas</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Deployments should have more than one replica to ensure availability.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;1&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml" target="-blank">/other-cel/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment-has-multiple-replicas</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Multiple Replicas in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Deployments with a single replica cannot be highly available and thus the application </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> may suffer downtime if that one replica goes down. This policy validates that Deployments </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> have more than one replica.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment-has-multiple-replicas</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.replicas &gt; 1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Deployments should have more than one replica to ensure availability.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/tekton/require-tekton-namespace-pipelinerun/require-tekton-namespace-pipelinerun/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/tekton/require-tekton-namespace-pipelinerun/require-tekton-namespace-pipelinerun/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//tekton/require-tekton-namespace-pipelinerun/require-tekton-namespace-pipelinerun.yaml" target="-blank">/tekton/require-tekton-namespace-pipelinerun/require-tekton-namespace-pipelinerun.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-tekton-namespace-pipelinerun</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Namespace for Tekton PipelineRun</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Tekton</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PipelineRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="l">A Namespace is required for a PipelineRun and may not be set to `default`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-pipelinerun-namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">PipelineRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;A namespace is required and may not be set to default.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!default&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-netpol/require-netpol/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-netpol/require-netpol/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-netpol/require-netpol.yaml" target="-blank">/other/require-netpol/require-netpol.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-network-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> NetworkPolicy is used to control Pod-to-Pod communication </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> and is a good practice to ensure only authorized Pods can send/receive </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> traffic. This policy checks incoming Deployments to ensure </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> they have a matching, preexisting NetworkPolicy.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-network-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">policies_count</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/networking.k8s.io/v1/namespaces/{{request.namespace}}/networkpolicies&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?label_match(spec.podSelector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | length(@)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Every Deployment requires a matching NetworkPolicy.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{policies_count}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">LessThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-non-root-groups/require-non-root-groups/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-non-root-groups/require-non-root-groups/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-non-root-groups/require-non-root-groups.yaml" target="-blank">/other/require-non-root-groups/require-non-root-groups.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-non-root-groups</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Non-Root Groups</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.3.6</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Containers should be forbidden from running with a root primary or supplementary GID. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> greater than zero (i.e., non root). A known issue prevents a policy such as this </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-runasgroup</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> Running with root group IDs is disallowed. The fields </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.runAsGroup, and </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> spec.ephemeralContainers[*].securityContext.runAsGroup must be </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> set to a value greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">anyPattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsGroup)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsGroup)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsGroup)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-supplementalgroups</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="sd"> Containers cannot run with a root primary or supplementary GID. The field </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="sd"> spec.securityContext.supplementalGroups must be unset or </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="sd"> set to a value greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">=(supplementalGroups)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-fsgroup</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="sd"> Containers cannot run with a root primary or supplementary GID. The field </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="sd"> spec.securityContext.fsGroup must be unset or set to a value greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">83</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">84</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">85</span><span class="cl"><span class="w"> </span><span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">86</span><span class="cl"><span class="w"> </span><span class="nt">=(fsGroup)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-non-root-groups/require-non-root-groups/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-non-root-groups/require-non-root-groups/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/require-non-root-groups/require-non-root-groups.yaml" target="-blank">/other-cel/require-non-root-groups/require-non-root-groups.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-non-root-groups</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Non-Root Groups in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Containers should be forbidden from running with a root primary or supplementary GID. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> greater than zero (i.e., non root). A known issue prevents a policy such as this </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-runasgroup</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> ( </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> object.spec.?securityContext.?runAsGroup.orValue(-1) &gt; 0 &amp;&amp; </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> variables.allContainers.all(container, container.?securityContext.?runAsGroup.orValue(1) &gt; 0) </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> ) || </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> ( </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> variables.allContainers.all(container, container.?securityContext.?runAsGroup.orValue(-1) &gt; 0) </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> )</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> Running with root group IDs is disallowed. The fields </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.runAsGroup, and </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="sd"> spec.ephemeralContainers[*].securityContext.runAsGroup must be </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="sd"> set to a value greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-supplementalgroups</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="sd"> object.spec.?securityContext.?supplementalGroups.orValue([]).all(group, group &gt; 0)</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="sd"> Containers cannot run with a root primary or supplementary GID. The field </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="sd"> spec.securityContext.supplementalGroups must be unset or </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="sd"> set to a value greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-fsgroup</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="sd"> object.spec.?securityContext.?fsGroup.orValue(1) &gt; 0</span><span class="w"> </span></span></span><span class="line"><span class="ln">83</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">84</span><span class="cl"><span class="sd"> Containers cannot run with a root primary or supplementary GID. The field </span></span></span><span class="line"><span class="ln">85</span><span class="cl"><span class="sd"> spec.securityContext.fsGroup must be unset or set to a value greater than zero.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-pod-priorityclassname/require-pod-priorityclassname/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-pod-priorityclassname/require-pod-priorityclassname/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-pod-priorityclassname/require-pod-priorityclassname.yaml" target="-blank">/other/require-pod-priorityclassname/require-pod-priorityclassname.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-pod-priorityclassname</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Pod priorityClassName</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Multi-Tenancy, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> A Pod may optionally specify a priorityClassName which indicates the scheduling </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> priority relative to others. This requires creation of a PriorityClass object in advance. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> With this created, a Pod may set this field to that value. In a multi-tenant environment, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> it is often desired to require this priorityClassName be set to make certain tenant </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> scheduling guarantees. This policy requires that a Pod defines the priorityClassName field </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> with some value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-priorityclassname</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Pods must define the priorityClassName field.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">priorityClassName</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-pod-priorityclassname/require-pod-priorityclassname/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-pod-priorityclassname/require-pod-priorityclassname/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/require-pod-priorityclassname/require-pod-priorityclassname.yaml" target="-blank">/other-cel/require-pod-priorityclassname/require-pod-priorityclassname.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-pod-priorityclassname</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Pod priorityClassName in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Multi-Tenancy, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> A Pod may optionally specify a priorityClassName which indicates the scheduling </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> priority relative to others. This requires creation of a PriorityClass object in advance. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> With this created, a Pod may set this field to that value. In a multi-tenant environment, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> it is often desired to require this priorityClassName be set to make certain tenant </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> scheduling guarantees. This policy requires that a Pod defines the priorityClassName field </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> with some value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-priorityclassname</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?priorityClassName.orValue(&#39;&#39;) != &#39;&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Pods must define the priorityClassName field.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/require-probes/require-probes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/require-probes/require-probes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/require-probes/require-probes.yaml" target="-blank">/best-practices/require-probes/require-probes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-pod-probes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">DaemonSet,Deployment,StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Pod Probes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Liveness and readiness probes need to be configured to correctly manage a Pod&#39;s </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> `livenessProbe` is performed by the kubelet to determine if the Pod&#39;s containers </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> are running or need to be restarted. A `readinessProbe` is used by Services </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> and Deployments to determine if the Pod is ready to receive network traffic. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy validates that all containers have one of livenessProbe, readinessProbe, </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> or startupProbe defined.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-probes</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Liveness, readiness, or startup probes are required for all containers.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.containers[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">livenessProbe</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AllNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.keys(@)[] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">startupProbe</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AllNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.keys(@)[] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">readinessProbe</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AllNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.keys(@)[] }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/require-probes/require-probes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/require-probes/require-probes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/require-probes/require-probes.yaml" target="-blank">/best-practices-cel/require-probes/require-probes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-pod-probes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">DaemonSet,Deployment,StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Pod Probes in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Liveness and readiness probes need to be configured to correctly manage a Pod&#39;s </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> `livenessProbe` is performed by the kubelet to determine if the Pod&#39;s containers </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> are running or need to be restarted. A `readinessProbe` is used by Services </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> and Deployments to determine if the Pod is ready to receive network traffic. </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> This policy validates that all containers have one of livenessProbe, readinessProbe, </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> or startupProbe defined.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-probes</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> object.spec.containers.all(container, </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> has(container.livenessProbe) || </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> has(container.startupProbe) || </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> has(container.readinessProbe))</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Liveness, readiness, or startup probes are required for all containers.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-pdb/require-pdb/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-pdb/require-pdb/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-pdb/require-pdb.yaml" target="-blank">/other/require-pdb/require-pdb.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-pdb</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> PodDisruptionBudget resources are useful to ensuring minimum availability </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> is maintained at all times. This policy checks all incoming Deployments and StatefulSets </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to ensure they have a matching, preexisting PodDisruptionBudget. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> Note: This policy must be run in `enforce` mode to ensure accuracy.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-pdb</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.replicas }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">3</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pdb_count</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/policy/v1/namespaces/{{request.namespace}}/poddisruptionbudgets&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?label_match(spec.selector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | length(@)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;There is no corresponding PodDisruptionBudget found for this Deployment.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{pdb_count}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">LessThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-qos-burstable/require-qos-burstable/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-qos-burstable/require-qos-burstable/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-qos-burstable/require-qos-burstable.yaml" target="-blank">/other/require-qos-burstable/require-qos-burstable.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-qos-burstable</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require QoS Burstable</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, Multi-Tenancy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Pod Quality of Service (QoS) is a mechanism to ensure Pods receive certain </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> priority guarantees based upon the resources they define. When a Pod has at least </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> one container which defines either requests or limits for either memory or CPU, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Kubernetes grants the QoS class as burstable if it does not otherwise qualify for a QoS class of guaranteed. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy requires that a Pod meet the criteria qualify for a QoS of burstable. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy is provided with the intention that users will need to control its scope by using </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> exclusions, preconditions, and other policy language mechanisms.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">burstable</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;At least one container in the Pod must define either requests or limits for either CPU or memory.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">requests</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.containers[].resources.keys(@)[] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">limits</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.containers[].resources.keys(@)[] }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-qos-burstable/require-qos-burstable/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-qos-burstable/require-qos-burstable/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/require-qos-burstable/require-qos-burstable.yaml" target="-blank">/other-cel/require-qos-burstable/require-qos-burstable.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-qos-burstable</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require QoS Burstable in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, Multi-Tenancy in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Pod Quality of Service (QoS) is a mechanism to ensure Pods receive certain </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> priority guarantees based upon the resources they define. When a Pod has at least </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> one container which defines either requests or limits for either memory or CPU, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> Kubernetes grants the QoS class as burstable if it does not otherwise qualify for a QoS class of guaranteed. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy requires that a Pod meet the criteria qualify for a QoS of burstable. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> This policy is provided with the intention that users will need to control its scope by using </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> exclusions, preconditions, and other policy language mechanisms.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">burstable</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> object.spec.containers.exists(container, </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> has(container.resources) &amp;&amp; </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> (has(container.resources.requests) || has(container.resources.limits)))</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;At least one container in the Pod must define either requests or limits for either CPU or memory.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-qos-guaranteed/require-qos-guaranteed/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-qos-guaranteed/require-qos-guaranteed/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-qos-guaranteed/require-qos-guaranteed.yaml" target="-blank">/other/require-qos-guaranteed/require-qos-guaranteed.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-qos-guaranteed</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require QoS Guaranteed</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, Multi-Tenancy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Pod Quality of Service (QoS) is a mechanism to ensure Pods receive certain </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> priority guarantees based upon the resources they define. When Pods define both </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> requests and limits for both memory and CPU, and the requests and limits are equal </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> to each other, Kubernetes grants the QoS class as guaranteed which allows them to run </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> at a higher priority than others. This policy requires that all containers within a Pod </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> run with this definition resulting in a guaranteed QoS. This policy is provided with the </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> intention that users will need to control its scope by using </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> exclusions, preconditions, and other policy language mechanisms.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">guaranteed</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;All containers must define memory and CPU requests and limits where they are equal.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.resources.requests.cpu}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.resources.requests.memory}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-qos-guaranteed/require-qos-guaranteed/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-qos-guaranteed/require-qos-guaranteed/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/require-qos-guaranteed/require-qos-guaranteed.yaml" target="-blank">/other-cel/require-qos-guaranteed/require-qos-guaranteed.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-qos-guaranteed</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require QoS Guaranteed in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, Multi-Tenancy in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Pod Quality of Service (QoS) is a mechanism to ensure Pods receive certain </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> priority guarantees based upon the resources they define. When Pods define both </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> requests and limits for both memory and CPU, and the requests and limits are equal </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> to each other, Kubernetes grants the QoS class as guaranteed which allows them to run </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> at a higher priority than others. This policy requires that all containers within a Pod </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> run with this definition resulting in a guaranteed QoS. This policy is provided with the </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> intention that users will need to control its scope by using </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> exclusions, preconditions, and other policy language mechanisms.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">guaranteed</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> object.spec.containers.all(container, </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> has(container.resources) &amp;&amp; </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> has(container.resources.requests) &amp;&amp; </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> has(container.resources.requests.cpu) &amp;&amp; has(container.resources.requests.memory) &amp;&amp; </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> has(container.resources.limits) &amp;&amp; </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> has(container.resources.limits.cpu) &amp;&amp; has(container.resources.limits.memory) &amp;&amp; </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> container.resources.requests.cpu == container.resources.limits.cpu &amp;&amp; </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> container.resources.requests.memory == container.resources.limits.memory)</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;All containers must define memory and CPU requests and limits where they are equal.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/require-ro-rootfs/require-ro-rootfs/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/require-ro-rootfs/require-ro-rootfs/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/require-ro-rootfs/require-ro-rootfs.yaml" target="-blank">/best-practices/require-ro-rootfs/require-ro-rootfs.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-ro-rootfs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Read-Only Root Filesystem</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices, EKS Best Practices, PSP Migration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> A read-only root file system helps to enforce an immutable infrastructure strategy; </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> the container only needs to write on the mounted volume that persists the state. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> An immutable root filesystem can also prevent malicious binaries from writing to the </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> host system. This policy validates that containers define a securityContext </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> with `readOnlyRootFilesystem: true`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-readOnlyRootFilesystem</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Root filesystem must be read-only.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">readOnlyRootFilesystem</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/require-ro-rootfs/require-ro-rootfs/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/require-ro-rootfs/require-ro-rootfs/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml" target="-blank">/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-ro-rootfs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Read-Only Root Filesystem in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices, EKS Best Practices, PSP Migration in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> A read-only root file system helps to enforce an immutable infrastructure strategy; </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> the container only needs to write on the mounted volume that persists the state. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> An immutable root filesystem can also prevent malicious binaries from writing to the </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> host system. This policy validates that containers define a securityContext </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> with `readOnlyRootFilesystem: true`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-readOnlyRootFilesystem</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> object.spec.containers.all(container, </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> container.?securityContext.?readOnlyRootFilesystem.orValue(false) == true)</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Root filesystem must be read-only.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-reasonable-pdbs/require-reasonable-pdbs/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-reasonable-pdbs/require-reasonable-pdbs/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-reasonable-pdbs/require-reasonable-pdbs.yaml" target="-blank">/other/require-reasonable-pdbs/require-reasonable-pdbs.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-reasonable-pdbs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Reasonable PodDisruptionBudgets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> PodDisruptionBudget resources are useful to ensuring minimum availability is maintained at all times. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Achieving a balance between availability and maintainability is important. This policy validates that a </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> PodDisruptionBudget, specified as percentages, allows 50% of the replicas to be out of service in that </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> minAvailable should be no higher than 50% and maxUnavailable should be no lower than 50%.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="c"># Checks if PDB fields minAvailable or maxUnavailable use percentages and, if they do,</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="c"># ensures that the percentage allows 50% of the replicas to be out of service.</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-reasonable-pdb-percentage</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">PodDisruptionBudget</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="c"># check if either minAvailable or maxUnavailable is a percentage</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ regex_match(&#39;&#39;^[0-9]+%$&#39;&#39;, &#39;&#39;{{ request.object.spec.minAvailable || &#39;&#39;&#39;&#39;}}&#39;&#39;) }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ regex_match(&#39;&#39;^[0-9]+%$&#39;&#39;, &#39;&#39;{{ request.object.spec.maxUnavailable || &#39;&#39;&#39;&#39;}}&#39;&#39;) }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> PodDisruptionBudget percentages should allow 50% out of service. minAvailable should be no higher than 50% </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> and maxUnavailable should be no lower than 50%.</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="c"># deny if minAvailable is greater than 50% or maxUnavailable is less than 50%</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ regex_match(&#39;&#39;^([1-9]|[1-4][0-9]|5[0])%$&#39;&#39;, &#39;&#39;{{ request.object.spec.minAvailable || &#39;&#39;50%&#39;&#39;}}&#39;&#39;) }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ regex_match(&#39;&#39;^([5-9][0-9]|100)%$&#39;&#39;, &#39;&#39;{{ request.object.spec.maxUnavailable || &#39;&#39;50%&#39;&#39;}}&#39;&#39;) }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-replicas-allow-disruption/require-replicas-allow-disruption/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-replicas-allow-disruption/require-replicas-allow-disruption/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-replicas-allow-disruption/require-replicas-allow-disruption.yaml" target="-blank">/other/require-replicas-allow-disruption/require-replicas-allow-disruption.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-replicas-allow-disruption</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Replicas Allow Disruption</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.4</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PodDisruptionBudget, Deployment, StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Existing PodDisruptionBudgets can apply to all future matching Pod controllers. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> If the minAvailable field is defined for such matching PDBs and the replica count of a new </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Deployment or StatefulSet is lower than that, then availability could be negatively impacted. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy specifies that Deployment/StatefulSet replicas exceed the minAvailable value of all </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> matching PodDisruptionBudgets which specify minAvailable as a number and not percentage.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">replicas-check</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">matchingpdbs</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">items[?label_match(spec.selector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)]</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="l">/apis/policy/v1/namespaces/{{request.namespace}}/poddisruptionbudgets</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.replicas }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ length(matchingpdbs) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> Replica count ({{ request.object.spec.replicas }}) cannot be less than or equal to the minAvailable of any </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> matching PodDisruptionBudget. There are {{ length(matchingpdbs) }} PodDisruptionBudgets which match this labelSelector, </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> not all of which may define a minAvailable value as a number.</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">matchingpdbs</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{ regex_match(&#39;&#39;^[0-9]+$&#39;&#39;, &#39;&#39;{{ element.spec.minAvailable || &#39;&#39;&#39;&#39; }}&#39;&#39;) }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.replicas }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">LessThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.spec.minAvailable }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-emptydir-requests-limits/require-emptydir-requests-limits/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-emptydir-requests-limits/require-emptydir-requests-limits/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml" target="-blank">/other/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-emptydir-requests-and-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Requests and Limits for emptyDir</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pods which mount emptyDir volumes may be allowed to potentially overrun </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the medium backing the emptyDir volume. This sample ensures that any </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> initContainers or containers mounting an emptyDir volume have </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> ephemeral-storage requests and limits set. Policy will be skipped if </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> the volume has already a sizeLimit set.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-emptydir-requests-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">emptydirnames</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.volumes[?contains(keys(@), &#39;emptyDir&#39;) &amp;&amp; !contains(keys(emptyDir), &#39;sizeLimit&#39;)].name</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.volumes[?contains(keys(@), &#39;emptyDir&#39;)] || `[]` | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Containers mounting emptyDir volumes must specify requests and limits for ephemeral-storage.</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.[initContainers, containers][]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.volumeMounts[].name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ emptydirnames }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">ephemeral-storage</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">ephemeral-storage</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml" target="-blank">/other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-emptydir-requests-and-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Requests and Limits for emptyDir in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Pods which mount emptyDir volumes may be allowed to potentially overrun </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> the medium backing the emptyDir volume. This sample ensures that any </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> initContainers or containers mounting an emptyDir volume have </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> ephemeral-storage requests and limits set. Policy will be skipped if </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> the volume has already a sizeLimit set.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-emptydir-requests-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has-emptydir-volume&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?volumes.orValue([]).exists(volume, has(volume.emptyDir))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers + object.spec.?initContainers.orValue([])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">emptydirnames</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> has(object.spec.volumes) ? </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> object.spec.volumes.filter(volume, has(volume.emptyDir) &amp;&amp; !has(volume.emptyDir.sizeLimit)).map(volume, volume.name) : []</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> variables.containers.all(container, </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> !container.?volumeMounts.orValue([]).exists(mount, mount.name in variables.emptydirnames) || </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> container.resources.?requests[?&#39;ephemeral-storage&#39;].hasValue() &amp;&amp; </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> container.resources.?limits[?&#39;ephemeral-storage&#39;].hasValue())</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Containers mounting emptyDir volumes must specify requests and limits for ephemeral-storage.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/windows-security/require-run-as-containeruser/require-run-as-containeruser/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/windows-security/require-run-as-containeruser/require-run-as-containeruser/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml" target="-blank">/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-run-as-containeruser</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Run As ContainerUser (Windows)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Windows Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.28&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Containers must be required to run as ContainerUser. This policy ensures that the fields </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> spec.securityContext.windowsOptions.runAsUserName, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> spec.containers[*].securityContext.windowsOptions.runAsUserName, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.windowsOptions.runAsUserName, </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> and is either unset or set to ContainerUser.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-run-as-containeruser</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> Running the container as ContainerAdministrator,NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE is not allowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">=(windowsOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsUserName)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ContainerUser&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">=(windowsOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsUserName)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ContainerUser&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">=(windowsOptions)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsUserName)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ContainerUser&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml" target="-blank">/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-run-as-non-root-user</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Run As Non-Root User</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Containers must be required to run as non-root users. This policy ensures </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> `runAsUser` is either unset or set to a number greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">run-as-non-root-user</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="sd"> Running as root is not allowed. The fields spec.securityContext.runAsUser, </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="sd"> spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> set to a number greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsUser)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsUser)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsUser)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsUser)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&gt;0&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml" target="-blank">/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-run-as-non-root-user</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Run As Non-Root User in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Containers must be required to run as non-root users. This policy ensures </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> `runAsUser` is either unset or set to a number greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">run-as-non-root-user</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> !has(object.spec.securityContext) || </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> !has(object.spec.securityContext.runAsUser) || </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> object.spec.securityContext.runAsUser &gt; 0</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> Running as root is not allowed. The field spec.securityContext.runAsUser must be unset or </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> set to a number greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> object.spec.containers.all(container, !has(container.securityContext) || </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> !has(container.securityContext.runAsUser) || </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> container.securityContext.runAsUser &gt; 0)</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> Running as root is not allowed. The field spec.containers[*].securityContext.runAsUser must be unset or </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> set to a number greater than zero</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="sd"> !has(object.spec.initContainers) || </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="sd"> object.spec.initContainers.all(container, !has(container.securityContext) || </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="sd"> !has(container.securityContext.runAsUser) || </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="sd"> container.securityContext.runAsUser &gt; 0)</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="sd"> Running as root is not allowed. The field spec.initContainers[*].securityContext.runAsUser must be unset or </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="sd"> set to a number greater than zero</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="sd"> !has(object.spec.ephemeralContainers) || </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="sd"> object.spec.ephemeralContainers.all(container, !has(container.securityContext) || </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="sd"> !has(container.securityContext.runAsUser) || </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="sd"> container.securityContext.runAsUser &gt; 0)</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="sd"> Running as root is not allowed. The field spec.ephemeralContainers[*].securityContext.runAsUser must be unset or </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="sd"> set to a number greater than zero</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/restricted/require-run-as-non-root-user/require-run-as-non-root-user/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/restricted/require-run-as-non-root-user/require-run-as-non-root-user/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml" target="-blank">/pod-security-vpol/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-run-as-non-root-user</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Run As Non-Root User in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Containers must be required to run as non-root users. This policy ensures </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> `runAsUser` is either unset or set to a number greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> object.spec.?securityContext.?runAsUser.orValue(1) &gt; 0</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> Running as root is not allowed. The field spec.securityContext.runAsUser </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> must be unset or set to a number greater than zero.</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> container.?securityContext.?runAsUser.orValue(1) &gt; 0)</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> Running as root is not allowed. The field spec.containers[*].securityContext.runAsUser, </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.runAsUser, and </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml" target="-blank">/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-run-as-nonroot</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require runAsNonRoot</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Containers must be required to run as non-root users. This policy ensures </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">run-as-non-root</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="sd"> Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> must be set to `true`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">anyPattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsNonRoot)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsNonRoot)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsNonRoot)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml" target="-blank">/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-run-as-nonroot</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require runAsNonRoot in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Containers must be required to run as non-root. This policy ensures </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> `runAsNonRoot` is set to true.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">run-as-non-root</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;podSecurityContext&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?securityContext.orValue({})&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;allContainers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;podRunAsNonRoot&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.podSecurityContext.?runAsNonRoot.orValue(false)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;podLevelEnforced&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> variables.podRunAsNonRoot &amp;&amp; </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> container.?securityContext.?runAsNonRoot.orValue(true) == true </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> )</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;containerLevelEnforced&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="sd"> container.?securityContext.?runAsNonRoot.orValue(false) == true </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="sd"> )</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.podLevelEnforced || variables.containerLevelEnforced&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="sd"> Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot or all of </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="sd"> spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot and </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="sd"> spec.ephemeralContainers[*].securityContext.runAsNonRoot, must be set to true.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/restricted/require-run-as-nonroot/require-run-as-nonroot/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/restricted/require-run-as-nonroot/require-run-as-nonroot/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml" target="-blank">/pod-security-vpol/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-run-as-nonroot</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require runAsNonRoot in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Containers must be required to run as non-root. This policy ensures </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> `runAsNonRoot` is set to true.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ctnrs</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> (object.spec.?securityContext.?runAsNonRoot.orValue(false) == true </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> &amp;&amp; variables.ctnrs.all(c, c.?securityContext.?runAsNonRoot.orValue(true) == true)) </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> || variables.ctnrs.all(c, c.?securityContext.?runAsNonRoot.orValue(false) == true)</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> Running as root is not allowed. Either spec.securityContext.runAsNonRoot </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> must be set to true, or all containers (spec.containers[*], spec.initContainers[*], </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> spec.ephemeralContainers[*]) must have securityContext.runAsNonRoot set to true.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/tekton/require-tekton-securitycontext/require-tekton-securitycontext/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/tekton/require-tekton-securitycontext/require-tekton-securitycontext/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//tekton/require-tekton-securitycontext/require-tekton-securitycontext.yaml" target="-blank">/tekton/require-tekton-securitycontext/require-tekton-securitycontext.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-tekton-securitycontext</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require securityContext for Tekton TaskRun</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Tekton</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">TaskRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="l">A securityContext is required for each TaskRun step.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-step-securitycontext</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">tekton.dev/v1beta1/TaskRun.status</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;A securityContext is required with `privileged` and `allowPrivilegeEscalation` set to `false`.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">=(status)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">=(taskSpec)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="c"># TODO: missing securityContext for digest-to-results</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!digest-to-results&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="c"># TODO: ideally all tasks run as non-root</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="c">#runAsNonRoot: true</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">privileged</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">allowPrivilegeEscalation</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures.yaml" target="-blank">/tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">signed-pipeline-bundle</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Signed Tekton Pipeline</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Tekton</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PipelineRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="l">A signed bundle is required</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">webhookTimeoutSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-signature</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">PipelineRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">imageExtractors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">PipelineRun</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;pipelineruns&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/spec/pipelineRef</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;bundle&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">verifyImages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">imageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">publicKeys</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> -----BEGIN PUBLIC KEY----- </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEahmSvGFmxMJABilV1usgsw6ImcQ/ </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> gDaxw57Sq+uNGHW8Q3zUSx46PuRqdTI+4qE3Ng2oFZgLMpFN/qMrP0MQQg== </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> -----END PUBLIC KEY-----</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/tekton/verify-tekton-taskrun-signatures/verify-tekton-taskrun-signatures/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/tekton/verify-tekton-taskrun-signatures/verify-tekton-taskrun-signatures/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//tekton/verify-tekton-taskrun-signatures/verify-tekton-taskrun-signatures.yaml" target="-blank">/tekton/verify-tekton-taskrun-signatures/verify-tekton-taskrun-signatures.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">signed-tekton-task-bundle</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Signed Tekton Task</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Tekton</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">TaskRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> A signed bundle is required.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">webhookTimeoutSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-signature</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">TaskRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">imageExtractors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">TaskRun</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;taskruns&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/spec/taskRef</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;bundle&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">verifyImages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">imageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">publicKeys</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> -----BEGIN PUBLIC KEY----- </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEahmSvGFmxMJABilV1usgsw6ImcQ/ </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> gDaxw57Sq+uNGHW8Q3zUSx46PuRqdTI+4qE3Ng2oFZgLMpFN/qMrP0MQQg== </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> -----END PUBLIC KEY-----</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-storageclass/require-storageclass/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-storageclass/require-storageclass/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-storageclass/require-storageclass.yaml" target="-blank">/other/require-storageclass/require-storageclass.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-storageclass</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require StorageClass</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, Multi-Tenancy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PersistentVolumeClaim, StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> PersistentVolumeClaims (PVCs) and StatefulSets may optionally define a StorageClass </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> to dynamically provision storage. In a multi-tenancy environment where StorageClasses are </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> far more common, it is often better to require storage only be provisioned from these </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> StorageClasses. This policy requires that PVCs and StatefulSets containing </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> volumeClaimTemplates define the storageClassName field with some value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pvc-storageclass</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">PersistentVolumeClaim</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;PersistentVolumeClaims must define a storageClassName.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">storageClassName</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ss-storageclass</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;StatefulSets must define a storageClassName.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">=(volumeClaimTemplates)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">storageClassName</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-storageclass/require-storageclass/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/require-storageclass/require-storageclass/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/require-storageclass/require-storageclass.yaml" target="-blank">/other-cel/require-storageclass/require-storageclass.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-storageclass</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require StorageClass in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, Multi-Tenancy in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">PersistentVolumeClaim, StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> PersistentVolumeClaims (PVCs) and StatefulSets may optionally define a StorageClass </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> to dynamically provision storage. In a multi-tenancy environment where StorageClasses are </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> far more common, it is often better to require storage only be provisioned from these </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> StorageClasses. This policy requires that PVCs and StatefulSets containing </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> volumeClaimTemplates define the storageClassName field with some value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pvc-storageclass</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">PersistentVolumeClaim</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?storageClassName.orValue(&#39;&#39;) != &#39;&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;PersistentVolumeClaims must define a storageClassName.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ss-storageclass</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="sd"> !has(object.spec.volumeClaimTemplates) || </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="sd"> object.spec.volumeClaimTemplates.all(volumeClaimTemplate, </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="sd"> volumeClaimTemplate.spec.?storageClassName.orValue(&#39;&#39;) != &#39;&#39;)</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;StatefulSets must define a storageClassName.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/tekton/require-tekton-bundle/require-tekton-bundle/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/tekton/require-tekton-bundle/require-tekton-bundle/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//tekton/require-tekton-bundle/require-tekton-bundle.yaml" target="-blank">/tekton/require-tekton-bundle/require-tekton-bundle.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-tekton-bundle</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Tekton Bundle</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Tekton</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">TaskRun, PipelineRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> PipelineRun and TaskRun resources must be executed from a bundle</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-bundle-pipelinerun</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">PipelineRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;A bundle is required.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pipelineRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">bundle</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-bundle-taskrun</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="l">TaskRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;A bundle is required.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">taskRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">bundle</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/tekton-cel/require-tekton-bundle/require-tekton-bundle/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/tekton-cel/require-tekton-bundle/require-tekton-bundle/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml" target="-blank">/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-tekton-bundle</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Tekton Bundle in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Tekton in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">TaskRun, PipelineRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> PipelineRun and TaskRun resources must be executed from a bundle</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-bundle-pipelinerun</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">PipelineRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?pipelineRef.?bundle.orValue(&#39;&#39;) != &#39;&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;A bundle is required.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-bundle-taskrun</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="l">TaskRun</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?taskRef.?bundle.orValue(&#39;&#39;) != &#39;&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;A bundle is required.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift/check-routes/check-routes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift/check-routes/check-routes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift/check-routes/check-routes.yaml" target="-blank">/openshift/check-routes/check-routes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-routes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require TLS routes in OpenShift</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">OpenShift</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.20&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Route</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-tls-routes</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">route.openshift.io/v1/Route</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;DELETE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> HTTP routes are not allowed. Configure TLS for secure routes.</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ keys(request.object.spec) | contains(@, &#39;tls&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift-cel/check-routes/check-routes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift-cel/check-routes/check-routes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift-cel/check-routes/check-routes.yaml" target="-blank">/openshift-cel/check-routes/check-routes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-routes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require TLS routes in OpenShift in CEL expressions </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">OpenShift in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Route</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-tls-routes</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">route.openshift.io/v1/Route</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has(object.spec.tls)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> HTTP routes are not allowed. Configure TLS for secure routes.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-unique-external-dns/require-unique-external-dns/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-unique-external-dns/require-unique-external-dns/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-unique-external-dns/require-unique-external-dns.yaml" target="-blank">/other/require-unique-external-dns/require-unique-external-dns.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">unique-external-dns</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Unique External DNS Services</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.5.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.21&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> ExternalDNS, part of Kubernetes SIGs, triggers the creation of external DNS records in supported </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> providers when the annotation`external-dns.alpha.kubernetes.io/hostname` is present. Like with </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> internal DNS, duplicates must be avoided. This policy requires every such Service have a cluster-unique </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> hostname present in the value of the annotation.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ensure-valid-externaldns-annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">external-dns.alpha.kubernetes.io/hostname</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="c"># Looks up external DNS entries.</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">alldns</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/services&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?[metadata.namespace, metadata.name] != [&#39;{{request.object.metadata.namespace}}&#39;, &#39;{{request.object.metadata.name}}&#39;]].metadata.annotations.\&#34;external-dns.alpha.kubernetes.io/hostname\&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> External DNS entry &#34;{{request.object.metadata.annotations.&#34;external-dns.alpha.kubernetes.io/hostname&#34;}}&#34; is already </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> taken by another service in the cluster.</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="c"># Deny if &#34;external-dns.alpha.kubernetes.io/hostname&#34; annotation value is already taken</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.annotations.\&#34;external-dns.alpha.kubernetes.io/hostname\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{alldns}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift/unique-routes/unique-routes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift/unique-routes/unique-routes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift/unique-routes/unique-routes.yaml" target="-blank">/openshift/unique-routes/unique-routes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">unique-routes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require unique host names in OpenShift routes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">OpenShift</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.20&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Route</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> An Route host is a URL at which services may be made available externally. In most cases, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> these hosts should be unique across the cluster to ensure no routing conflicts occur. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy checks an incoming Route resource to ensure its hosts are unique to the cluster.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-unique-routes</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">route.openshift.io/v1/Route</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hosts</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/route.openshift.io/v1/Routes&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[].spec.host&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;DELETE&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> The Route host name must be unique.</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.host }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ hosts }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-unique-service-selector/require-unique-service-selector/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-unique-service-selector/require-unique-service-selector/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-unique-service-selector/require-unique-service-selector.yaml" target="-blank">/other/require-unique-service-selector/require-unique-service-selector.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-unique-service-selector</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Unique Service Selector</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Services select eligible Pods by way of label matches. Having multiple </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Service apply based on same labels can cause conflicts and have unintended </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> consequences. This policy ensures that within the same Namespace a Service has </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> a unique set of labels as a selector.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-service-selector</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">services</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{request.namespace}}/services&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?spec.selector]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">service_count</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;services[?label_match(spec.selector, `{{request.object.spec.selector}}`)] | length(@)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;There is already a matching selector for this Service.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{service_count}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/require-unique-uid-per-workload/require-unique-uid-per-workload/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/require-unique-uid-per-workload/require-unique-uid-per-workload/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml" target="-blank">/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-unique-uid-per-workload</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Require Unique UID per Workload</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="sd"> Two distinct workloads should not share a UID so that in a multitenant environment, applications </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> from different projects never run as the same user ID. When using persistent storage, </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> any files created by applications will also have different ownership in the file system. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Running processes for applications as different user IDs means that if a security </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> vulnerability were ever discovered in the underlying container runtime, and an application </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> were able to break out of the container to the host, they would not be able to interact </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> with processes owned by other users, or from other applications, in other projects.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.20&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-unique-uid</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">uidsAllPodsExceptSameOwnerAsRequestObject</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/pods&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="c"># Gets UIDs of all Pods, excluding those of pods whos ownerReference</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="c"># references the same owner as the policy subject (request.object)</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="c"># UIDs need to be strings, because the &#34;In&#34; operator (see below in the conditions Block) only works on lists of strings.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="c"># see https://github.com/kyverno/website/blob/b08d6d8356bd46b8d55ab52324a9cfa243399b01/content/en/docs/Writing%20policies/preconditions.md?plain=1#L154</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?@.metadata.ownerReferences == false || metadata.ownerReferences[?uid != &#39;{{ request.object.metadata.keys(@).contains(@, &#39;ownerReferences&#39;) &amp;&amp; request.object.metadata.ownerReferences[0].uid }}&#39;]].spec.containers[].securityContext.to_string(runAsUser)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Only cluster-unique UIDs are allowed&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="c"># this checks uids for ALL containers in any pod of the workload</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.containers[].securityContext.to_string(runAsUser) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ uidsAllPodsExceptSameOwnerAsRequestObject }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/resolve-image-to-digest/resolve-image-to-digest/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/resolve-image-to-digest/resolve-image-to-digest/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/resolve-image-to-digest/resolve-image-to-digest.yaml" target="-blank">/other/resolve-image-to-digest/resolve-image-to-digest.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">resolve-image-to-digest</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Resolve Image to Digest</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Image tags are mutable and the change of an image can result in the same tag. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy resolves the image digest of each image in a container and replaces </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the image with the fully resolved reference which includes the digest rather than tag.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">resolve-to-digest</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.containers&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">resolvedRef</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">imageRegistry</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">reference</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;resolvedImage&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ resolvedRef }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restart-deployment-on-secret-change/restart-deployment-on-secret-change/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restart-deployment-on-secret-change/restart-deployment-on-secret-change/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restart-deployment-on-secret-change/restart-deployment-on-secret-change.yaml" target="-blank">/other/restart-deployment-on-secret-change/restart-deployment-on-secret-change.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restart-deployment-on-secret-change</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restart Deployment On Secret Change</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> If Secrets are mounted in ways which do not naturally allow updates to </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> be live refreshed it may be necessary to modify a Deployment. This policy </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> watches a Secret and if it changes will write an annotation </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> to one or more target Deployments thus triggering a new rollout and thereby </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> refreshing the referred Secret. It may be necessary to grant additional privileges </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> to the Kyverno ServiceAccount, via one of the existing ClusterRoleBindings or a new </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> one, so it can modify Deployments.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">mutateExistingOnPolicyUpdate</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">update-secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">mysecret</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">apps/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">busybox</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">ops.corp.com/triggerrestart</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.resourceVersion}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psp-migration/restrict-adding-capabilities/restrict-adding-capabilities/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psp-migration/restrict-adding-capabilities/restrict-adding-capabilities/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psp-migration/restrict-adding-capabilities/restrict-adding-capabilities.yaml" target="-blank">/psp-migration/restrict-adding-capabilities/restrict-adding-capabilities.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">psp-restrict-adding-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Adding Capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">PSP Migration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Adding capabilities is a way for containers in a Pod to request higher levels </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> of ability than those with which they may be provisioned. Many capabilities </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> allow system-level control and should be prevented. Pod Security Policies (PSP) </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> allowed a list of &#34;good&#34; capabilities to be added. This policy checks </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> ephemeralContainers, initContainers, and containers to ensure the only </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> capabilities that can be added are either NET_BIND_SERVICE or CAP_CHOWN.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> Any capabilities added other than NET_BIND_SERVICE or CAP_CHOWN are disallowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.[ephemeralContainers, initContainers, containers][]</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.securityContext.capabilities.add[] || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="l">NET_BIND_SERVICE</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="l">CAP_CHOWN</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="s1">&#39;&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psp-migration-cel/restrict-adding-capabilities/restrict-adding-capabilities/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psp-migration-cel/restrict-adding-capabilities/restrict-adding-capabilities/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psp-migration-cel/restrict-adding-capabilities/restrict-adding-capabilities.yaml" target="-blank">/psp-migration-cel/restrict-adding-capabilities/restrict-adding-capabilities.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">psp-restrict-adding-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Adding Capabilities in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">PSP Migration in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Adding capabilities is a way for containers in a Pod to request higher levels </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> of ability than those with which they may be provisioned. Many capabilities </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> allow system-level control and should be prevented. Pod Security Policies (PSP) </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> allowed a list of &#34;good&#34; capabilities to be added. This policy checks </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> ephemeralContainers, initContainers, and containers to ensure the only </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> capabilities that can be added are either NET_BIND_SERVICE or CAP_CHOWN.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowedCapabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;NET_BIND_SERVICE&#39;, &#39;CAP_CHOWN&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> container.?securityContext.?capabilities.?add.orValue([]).all(capability, capability in variables.allowedCapabilities))</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> Any capabilities added other than NET_BIND_SERVICE or CAP_CHOWN are disallowed.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-annotations/restrict-annotations/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-annotations/restrict-annotations/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-annotations/restrict-annotations.yaml" target="-blank">/other/restrict-annotations/restrict-annotations.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Some annotations control functionality driven by other cluster-wide tools and are not </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> normally set by some class of users. This policy prevents the use of an annotation beginning </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> with `fluxcd.io/`. This can be useful to ensure users either </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> don&#39;t set reserved annotations or to force them to use a newer version of an annotation.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-flux-v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Cannot use Flux v1 annotation.</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">=(annotations)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">X(fluxcd.io/*)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*?&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-annotations/restrict-annotations/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-annotations/restrict-annotations/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-annotations/restrict-annotations.yaml" target="-blank">/other-cel/restrict-annotations/restrict-annotations.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Annotations in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Some annotations control functionality driven by other cluster-wide tools and are not </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> normally set by some class of users. This policy prevents the use of an annotation beginning </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> with `fluxcd.io/`. This can be useful to ensure users either </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> don&#39;t set reserved annotations or to force them to use a newer version of an annotation.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-flux-v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!object.metadata.?annotations.orValue([]).exists(annotation, annotation.startsWith(&#39;fluxcd.io/&#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Cannot use Flux v1 annotation.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml" target="-blank">/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-apparmor-profiles</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict AppArmor</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Annotation</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.3.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> On supported hosts, the &#39;runtime/default&#39; AppArmor profile is applied by default. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> The default policy should prevent overriding or disabling the policy, or restrict </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> overrides to an allowed set of profiles. This policy ensures Pods do not </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> specify any other AppArmor profiles than `runtime/default` or `localhost/*`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">app-armor</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> Specifying other AppArmor profiles is disallowed. The annotation </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> `container.apparmor.security.beta.kubernetes.io` if defined </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> must not be set to anything other than `runtime/default` or `localhost/*`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">=(metadata)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">=(annotations)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">=(container.apparmor.security.beta.kubernetes.io/*)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;runtime/default | localhost/*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-automount-sa-token/restrict-automount-sa-token/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-automount-sa-token/restrict-automount-sa-token/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-automount-sa-token/restrict-automount-sa-token.yaml" target="-blank">/other/restrict-automount-sa-token/restrict-automount-sa-token.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-automount-sa-token</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Auto-Mount of Service Account Tokens</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Kubernetes automatically mounts ServiceAccount credentials in each Pod. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> The ServiceAccount may be assigned roles allowing Pods to access API resources. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Blocking this ability is an extension of the least privilege best practice and should </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> be followed if Pods do not need to speak to the API server to function. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy ensures that mounting of these ServiceAccount tokens is blocked.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-automountServiceAccountToken</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.\&#34;object\&#34;.metadata.labels.\&#34;app.kubernetes.io/part-of\&#34; || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">policy-reporter</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Auto-mounting of Service Account tokens is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">automountServiceAccountToken</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml" target="-blank">/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-sa-automount-sa-token</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Auto-Mount of Service Account Tokens in Service Account </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Secret,ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The ServiceAccount may be assigned roles allowing Pods to access API resources. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Blocking this ability is an extension of the least privilege best practice and should </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> be followed if Pods do not need to speak to the API server to function. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy ensures that mounting of these ServiceAccount tokens is blocked. </span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-sa-automountServiceAccountToken</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ServiceAccounts must set automountServiceAccountToken to false.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">automountServiceAccountToken</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml" target="-blank">/other-cel/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-sa-automount-sa-token</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Auto-Mount of Service Account Tokens in Service Account in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Secret,ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The ServiceAccount may be assigned roles allowing Pods to access API resources. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Blocking this ability is an extension of the least privilege best practice and should </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> be followed if Pods do not need to speak to the API server to function. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy ensures that mounting of these ServiceAccount tokens is blocked. </span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-sa-automountServiceAccountToken</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.?automountServiceAccountToken.orValue(true) == false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ServiceAccounts must set automountServiceAccountToken to false.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-binding-system-groups/restrict-binding-system-groups/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-binding-system-groups/restrict-binding-system-groups/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-binding-system-groups/restrict-binding-system-groups.yaml" target="-blank">/other/restrict-binding-system-groups/restrict-binding-system-groups.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-binding-system-groups</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Binding System Groups</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">RoleBinding, ClusterRoleBinding, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Certain system groups exist in Kubernetes which grant permissions that </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> are used for certain system-level functions yet typically never appropriate </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> for other users. This policy prevents creating bindings to some of these </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> groups including system:anonymous, system:unauthenticated, and system:masters.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-anonymous</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Binding to system:anonymous is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!system:anonymous&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-unauthenticated</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="l">RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Binding to system:unauthenticated is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!system:unauthenticated&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-masters</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="l">RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Binding to system:masters is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!system:masters&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-binding-system-groups/restrict-binding-system-groups/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-binding-system-groups/restrict-binding-system-groups/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml" target="-blank">/other-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-binding-system-groups</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Binding System Groups in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">RoleBinding, ClusterRoleBinding, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Certain system groups exist in Kubernetes which grant permissions that </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> are used for certain system-level functions yet typically never appropriate </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> for other users. This policy prevents creating bindings to some of these </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> groups including system:anonymous, system:unauthenticated, and system:masters.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-subject-groups</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.subjects.all(subject, subject.name != &#39;system:anonymous&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Binding to system:anonymous is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.subjects.all(subject, subject.name != &#39;system:unauthenticated&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Binding to system:unauthenticated is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.subjects.all(subject, subject.name != &#39;system:masters&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Binding to system:masters is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-binding-clusteradmin/restrict-binding-clusteradmin/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-binding-clusteradmin/restrict-binding-clusteradmin/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml" target="-blank">/other/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-binding-clusteradmin</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Binding to Cluster-Admin</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">RoleBinding, ClusterRoleBinding, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The cluster-admin ClusterRole allows any action to be performed on any resource </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> in the cluster and its granting should be heavily restricted. This </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> policy prevents binding to the cluster-admin ClusterRole in </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> RoleBinding or ClusterRoleBinding resources.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">clusteradmin-bindings</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Binding to cluster-admin is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">roleRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!cluster-admin&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-binding-clusteradmin/restrict-binding-clusteradmin/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-binding-clusteradmin/restrict-binding-clusteradmin/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml" target="-blank">/other-cel/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-binding-clusteradmin</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Binding to Cluster-Admin in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">RoleBinding, ClusterRoleBinding, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The cluster-admin ClusterRole allows any action to be performed on any resource </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> in the cluster and its granting should be heavily restricted. This </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> policy prevents binding to the cluster-admin ClusterRole in </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> RoleBinding or ClusterRoleBinding resources.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">clusteradmin-bindings</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.roleRef.name != &#39;cluster-admin&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Binding to cluster-admin is not allowed.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-clusterrole-csr/restrict-clusterrole-csr/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-clusterrole-csr/restrict-clusterrole-csr/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml" target="-blank">/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-clusterrole-csr</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Cluster Role CSR</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.5</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">certificatesigningrequests-update-prevention</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of verbs `update` and `patch` are forbidden for certificatesigningrequests/approval.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.rules[?resources.contains(@,&#39;certificatesigningrequests/approval&#39;)]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;update&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;patch&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.verbs[] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ contains(element.verbs[], &#39;*&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">signers-approve-prevention</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of verbs `approve` are forbidden for signers.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.rules[?resources.contains(@,&#39;signers&#39;)]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;approve&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.verbs[] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ contains(element.verbs[], &#39;*&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml" target="-blank">/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-clusterrole-mutating-validating-admission-webhooks</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Clusterrole for Mutating and Validating Admission Webhooks</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.7</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-clusterrole</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of verbs `create`, `update`, and `patch` are forbidden for mutating and validating admission webhooks&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.rules[]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.apiGroups || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">admissionregistration.k8s.io</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.resources || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="l">mutatingwebhookconfigurations</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="l">validatingwebhookconfigurations</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.verbs }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">create</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">update</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="l">patch</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ contains(element.verbs[], &#39;*&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml" target="-blank">/other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-clusterrole-nodesproxy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict ClusterRole with Nodes Proxy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> A ClusterRole with nodes/proxy resource access allows a user to </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> perform anything the kubelet API allows. It also allows users to bypass </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the API server and talk directly to the kubelet potentially circumventing </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> audits and admission controllers. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> for more info. This policy prevents the creation </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> of a ClusterRole if it contains the nodes/proxy resource. </span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">clusterrole-nodesproxy</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;A ClusterRole containing the nodes/proxy resource is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">nodes/proxy</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.rules[].resources[] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.rules[].apiGroups[] }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml" target="-blank">/other-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-clusterrole-nodesproxy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict ClusterRole with Nodes Proxy in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> A ClusterRole with nodes/proxy resource access allows a user to </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> perform anything the kubelet API allows. It also allows users to bypass </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the API server and talk directly to the kubelet potentially circumventing </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> audits and admission controllers. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> for more info. This policy prevents the creation </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> of a ClusterRole if it contains the nodes/proxy resource. </span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">clusterrole-nodesproxy</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> object.rules == null || </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> !object.rules.exists(rule, </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> has(rule.resources) &amp;&amp; </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> rule.resources.exists(resource, resource == &#39;nodes/proxy&#39;) &amp;&amp; </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> rule.apiGroups.exists(apiGroup, apiGroup == &#39;&#39;))</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;A ClusterRole containing the nodes/proxy resource is not allowed.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-controlplane-scheduling/restrict-controlplane-scheduling/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-controlplane-scheduling/restrict-controlplane-scheduling/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml" target="-blank">/other/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-controlplane-scheduling</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict control plane scheduling</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Scheduling non-system Pods to control plane nodes (which run kubelet) is often undesirable </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> because it takes away resources from the control plane components and can represent </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> a possible security threat vector. This policy prevents users from setting a toleration </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> in a Pod spec which allows running on control plane nodes </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> with the taint key `node-role.kubernetes.io/master`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-controlplane-scheduling-master</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Pods may not use tolerations which schedule on control plane nodes.</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">=(tolerations)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!node-role.kubernetes.io/master&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-controlplane-scheduling-control-plane</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Pods may not use tolerations which schedule on control plane nodes.</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">=(tolerations)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!node-role.kubernetes.io/control-plane&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-controlplane-scheduling/restrict-controlplane-scheduling/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-controlplane-scheduling/restrict-controlplane-scheduling/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml" target="-blank">/other-cel/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-controlplane-scheduling</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict control plane scheduling in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Scheduling non-system Pods to control plane nodes (which run kubelet) is often undesirable </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> because it takes away resources from the control plane components and can represent </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> a possible security threat vector. This policy prevents users from setting a toleration </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> in a Pod spec which allows running on control plane nodes </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> with the taint key `node-role.kubernetes.io/master`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-controlplane-scheduling-master</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> !has(object.spec.tolerations) || </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> !object.spec.tolerations.exists(toleration, toleration.?key.orValue(&#39;&#39;) in [&#39;node-role.kubernetes.io/master&#39;, &#39;node-role.kubernetes.io/control-plane&#39;])</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Pods may not use tolerations which schedule on control plane nodes.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-deprecated-registry/restrict-deprecated-registry/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-deprecated-registry/restrict-deprecated-registry/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-deprecated-registry/restrict-deprecated-registry.yaml" target="-blank">/other/restrict-deprecated-registry/restrict-deprecated-registry.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-deprecated-registry</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Deprecated Registry</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Legacy k8s.gcr.io container image registry will be frozen in early April 2023 </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> k8s.gcr.io image registry will be frozen from the 3rd of April 2023. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Images for Kubernetes 1.27 will not be available in the k8s.gcr.io image registry. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Please read our announcement for more details. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/ </span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="c"># validationFailureAction: Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-deprecated-registry</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The \&#34;k8s.gcr.io\&#34; image registry is deprecated. \&#34;registry.k8s.io\&#34; should now be used.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.[initContainers, ephemeralContainers, containers][]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;k8s.gcr.io/*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-deprecated-registry/restrict-deprecated-registry/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-deprecated-registry/restrict-deprecated-registry/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-deprecated-registry/restrict-deprecated-registry.yaml" target="-blank">/other-cel/restrict-deprecated-registry/restrict-deprecated-registry.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-deprecated-registry</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Deprecated Registry in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27-1.28&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Legacy k8s.gcr.io container image registry will be frozen in early April 2023 </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> k8s.gcr.io image registry will be frozen from the 3rd of April 2023. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Images for Kubernetes 1.27 will not be available in the k8s.gcr.io image registry. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> Please read our announcement for more details. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/ </span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-deprecated-registry</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.allContainers.all(container, !container.image.startsWith(&#39;k8s.gcr.io/&#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The \&#34;k8s.gcr.io\&#34; image registry is deprecated. \&#34;registry.k8s.io\&#34; should now be used.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml" target="-blank">/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-edit-for-endpoints</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Edit for Endpoints CVE-2021-25740</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">low</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Clusters not initially installed with Kubernetes 1.22 may be vulnerable to an issue </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> defined in CVE-2021-25740 which could enable users to send network traffic to locations </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> they would otherwise not have access to via a confused deputy attack. This was due to </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the system:aggregate-to-edit ClusterRole having edit permission of Endpoints. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy, intended to run in background mode, checks if your cluster is vulnerable </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> to CVE-2021-25740 by ensuring the system:aggregate-to-edit ClusterRole does not have </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> the edit permission of Endpoints.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">system-aggregate-to-edit-check</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">system:aggregate-to-edit</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> This cluster may still be vulnerable to CVE-2021-25740. The system:aggregate-to-edit ClusterRole </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> should not have edit permission over Endpoints.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">edit</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.rules[?resources[?contains(@,&#39;endpoints&#39;)]].verbs[] }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-edit-for-endpoints/restrict-edit-for-endpoints/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-edit-for-endpoints/restrict-edit-for-endpoints/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml" target="-blank">/other-cel/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-edit-for-endpoints</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Edit for Endpoints CVE-2021-25740 in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">low</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Clusters not initially installed with Kubernetes 1.22 may be vulnerable to an issue </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> defined in CVE-2021-25740 which could enable users to send network traffic to locations </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> they would otherwise not have access to via a confused deputy attack. This was due to </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the system:aggregate-to-edit ClusterRole having edit permission of Endpoints. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy, intended to run in background mode, checks if your cluster is vulnerable </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> to CVE-2021-25740 by ensuring the system:aggregate-to-edit ClusterRole does not have </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> the edit permission of Endpoints.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">system-aggregate-to-edit-check</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">system:aggregate-to-edit</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!object.rules.exists(rule, &#39;endpoints&#39; in rule.resources &amp;&amp; &#39;edit&#39; in rule.verbs)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> This cluster may still be vulnerable to CVE-2021-25740. The system:aggregate-to-edit ClusterRole </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> should not have edit permission over Endpoints.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml" target="-blank">/other/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-escalation-verbs-roles</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Escalation Verbs in Roles</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Role, ClusterRole, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The verbs `impersonate`, `bind`, and `escalate` may all potentially lead to </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> privilege escalation and should be tightly controlled. This policy prevents </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> use of these verbs in Role or ClusterRole resources.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">escalate</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of verbs `escalate`, `bind`, and `impersonate` are forbidden.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.rules[]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.apiGroups || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="l">rbac.authorization.k8s.io</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.resources || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">clusterroles</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">roles</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.verbs }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="l">bind</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="l">escalate</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">impersonate</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml" target="-blank">/other-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-escalation-verbs-roles</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Escalation Verbs in Roles in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Role, ClusterRole, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The verbs `impersonate`, `bind`, and `escalate` may all potentially lead to </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> privilege escalation and should be tightly controlled. This policy prevents </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> use of these verbs in Role or ClusterRole resources.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">escalate</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">apiGroups</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;*&#39;, &#39;rbac.authorization.k8s.io&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">resources</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;*&#39;, &#39;clusterroles&#39;, &#39;roles&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verbs</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;*&#39;, &#39;bind&#39;, &#39;escalate&#39;, &#39;impersonate&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> object.rules == null || </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> !object.rules.exists(rule, </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> rule.apiGroups.exists(apiGroup, apiGroup in variables.apiGroups) &amp;&amp; </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> rule.resources.exists(resource, resource in variables.resources) &amp;&amp; </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> rule.verbs.exists(verb, verb in variables.verbs))</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of verbs `escalate`, `bind`, and `impersonate` are forbidden.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/restrict-service-external-ips/restrict-service-external-ips/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/restrict-service-external-ips/restrict-service-external-ips/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml" target="-blank">/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-external-ips</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict External IPs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Service externalIPs can be used for a MITM attack (CVE-2020-8554). </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Restrict externalIPs or limit to a known set of addresses. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> See: https://github.com/kyverno/kyverno/issues/1367. This policy validates </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> that the `externalIPs` field is not set on a Service.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-ips</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;externalIPs are not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="c"># restrict external IP addresses</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="c"># you can alternatively restrict to a known set of addresses using:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="c"># =(externalIPs): [&#34;37.10.11.53&#34;, &#34;153.10.20.1&#34;]</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">X(externalIPs)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/restrict-service-external-ips/restrict-service-external-ips/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/restrict-service-external-ips/restrict-service-external-ips/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/restrict-service-external-ips/restrict-service-external-ips.yaml" target="-blank">/best-practices-cel/restrict-service-external-ips/restrict-service-external-ips.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-external-ips</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict External IPs in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Service externalIPs can be used for a MITM attack (CVE-2020-8554). </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Restrict externalIPs or limit to a known set of addresses. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> See: https://github.com/kyverno/kyverno/issues/1367. This policy validates </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> that the `externalIPs` field is not set on a Service.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-ips</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!has(object.spec.externalIPs)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="c"># restrict external IP addresses</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="c"># you can alternatively restrict to a known set of addresses using:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="c"># !has(object.spec.externalIPs) || </span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="c"># object.spec.externalIPs.all(ip, ip in [&#34;37.10.11.53&#34;, &#34;153.10.20.1&#34;]) </span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;externalIPs are not allowed.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices/restrict-image-registries/restrict-image-registries/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices/restrict-image-registries/restrict-image-registries/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices/restrict-image-registries/restrict-image-registries.yaml" target="-blank">/best-practices/restrict-image-registries/restrict-image-registries.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-image-registries</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Image Registries</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Images from unknown, public registries can be of dubious quality and may not be </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> scanned and secured, representing a high degree of risk. Requiring use of known, approved </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> registries helps reduce threat exposure by ensuring image pulls only come from them. This </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> policy validates that container images only originate from the registry `eu.foo.io` or </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> `bar.io`. Use of this policy requires customization to define your allowable registries.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-registries</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Unknown image registry.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;eu.foo.io/* | bar.io/*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;eu.foo.io/* | bar.io/*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;eu.foo.io/* | bar.io/*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/restrict-image-registries/restrict-image-registries/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/best-practices-cel/restrict-image-registries/restrict-image-registries/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/restrict-image-registries/restrict-image-registries.yaml" target="-blank">/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-image-registries</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Image Registries in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Images from unknown, public registries can be of dubious quality and may not be </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> scanned and secured, representing a high degree of risk. Requiring use of known, approved </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> registries helps reduce threat exposure by ensuring image pulls only come from them. This </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> policy validates that container images only originate from the registry `eu.foo.io` or </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> `bar.io`. Use of this policy requires customization to define your allowable registries.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-registries</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;variables.allContainers.all(container, container.image.startsWith(&#39;eu.foo.io/&#39;) || container.image.startsWith(&#39;bar.io/&#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Unknown image registry.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-ingress-classes/restrict-ingress-classes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-ingress-classes/restrict-ingress-classes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-ingress-classes/restrict-ingress-classes.yaml" target="-blank">/other/restrict-ingress-classes/restrict-ingress-classes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-ingress-classes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Ingress Classes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Ingress classes should only be allowed which match up to deployed Ingress controllers </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> in the cluster. Allowing users to define classes which cannot be satisfied by a deployed </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Ingress controller can result in either no or undesired functionality. This policy checks </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Ingress resources and only allows those which define `HAProxy` or `nginx` in the respective </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> annotation. This annotation has largely been replaced as of Kubernetes 1.18 with the IngressClass </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> resource.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Unknown ingress class.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">kubernetes.io/ingress.class</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;HAProxy | nginx&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-ingress-classes/restrict-ingress-classes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-ingress-classes/restrict-ingress-classes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-ingress-classes/restrict-ingress-classes.yaml" target="-blank">/other-cel/restrict-ingress-classes/restrict-ingress-classes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-ingress-classes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Ingress Classes in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Ingress classes should only be allowed which match up to deployed Ingress controllers </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> in the cluster. Allowing users to define classes which cannot be satisfied by a deployed </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Ingress controller can result in either no or undesired functionality. This policy checks </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> Ingress resources and only allows those which define `HAProxy` or `nginx` in the respective </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> annotation. This annotation has largely been replaced as of Kubernetes 1.18 with the IngressClass </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> resource.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> object.metadata.?annotations[?&#39;kubernetes.io/ingress.class&#39;].orValue(&#39;&#39;) in [&#39;HAProxy&#39;, &#39;nginx&#39;] </span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Unknown ingress class.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml" target="-blank">/other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-ingress-defaultbackend</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Ingress defaultBackend</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> An Ingress with no rules sends all traffic to a single default backend. The defaultBackend </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> is conventionally a configuration option of the Ingress controller and is not specified in </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> objects, the traffic is routed to your default backend. In a multi-tenant environment, you </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> want users to use explicit hosts, they should not be able to overwrite the global default backend </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> service. This policy prohibits the use of the defaultBackend field.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-ingress-defaultbackend</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Setting the defaultBackend field is prohibited.</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">X(defaultBackend)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml" target="-blank">/other-cel/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-ingress-defaultbackend</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Ingress defaultBackend in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> An Ingress with no rules sends all traffic to a single default backend. The defaultBackend </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> is conventionally a configuration option of the Ingress controller and is not specified in </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> objects, the traffic is routed to your default backend. In a multi-tenant environment, you </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> want users to use explicit hosts, they should not be able to overwrite the global default backend </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> service. This policy prohibits the use of the defaultBackend field.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-ingress-defaultbackend</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!has(object.spec.defaultBackend)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Setting the defaultBackend field is prohibited.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-ingress-wildcard/restrict-ingress-wildcard/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-ingress-wildcard/restrict-ingress-wildcard/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml" target="-blank">/other/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-ingress-wildcard</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Ingress Host with Wildcards</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Ingress hosts optionally accept a wildcard as an alternative </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to precise matching. In some cases, this may be too permissive as it </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> would direct unintended traffic to the given Ingress resource. This </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> policy enforces that any Ingress host does not contain a wildcard </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> character.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-ingress-wildcard</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Wildcards are not permitted as hosts.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.rules&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ contains(element.host, &#39;*&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml" target="-blank">/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-ingress-wildcard</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Ingress Host with Wildcards in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Ingress hosts optionally accept a wildcard as an alternative </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to precise matching. In some cases, this may be too permissive as it </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> would direct unintended traffic to the given Ingress resource. This </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> policy enforces that any Ingress host does not contain a wildcard </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> character.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-ingress-wildcard</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!object.spec.?rules.orValue([]).exists(rule, has(rule.host) &amp;&amp; rule.host.contains(&#39;*&#39;))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Wildcards are not permitted as hosts.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/cert-manager/restrict-issuer/restrict-issuer/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/cert-manager/restrict-issuer/restrict-issuer/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//cert-manager/restrict-issuer/restrict-issuer.yaml" target="-blank">/cert-manager/restrict-issuer/restrict-issuer.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cert-manager-restrict-issuer</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict issuer</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Cert-Manager</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Certificate</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Certificates for trusted domains should always be steered to a controlled issuer to </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> ensure the chain of trust is appropriate for that application. Users may otherwise be </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> able to create their own issuers and sign certificates for other domains. This policy </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> ensures that a certificate request for a specific domain uses a designated ClusterIssuer.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-corp-cert-issuer</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Certificate</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">When requesting a cert for this domain, you must use our corporate issuer.</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">(dnsNames)</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;*.corp.com&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">issuerRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">our-corp-issuer</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterIssuer</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="l">cert-manager.io</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-jobs/restrict-jobs/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-jobs/restrict-jobs/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-jobs/restrict-jobs.yaml" target="-blank">/other/restrict-jobs/restrict-jobs.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-jobs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Jobs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Jobs can be created directly and indirectly via a CronJob controller. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In some cases, users may want to only allow Jobs if they are created via a CronJob. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy restricts Jobs so they may only be created by a CronJob.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-job-from-cronjob</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.ownerReferences[0].kind || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Jobs are only allowed if spawned from CronJobs.</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-jobs/restrict-jobs/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-jobs/restrict-jobs/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-jobs/restrict-jobs.yaml" target="-blank">/other-cel/restrict-jobs/restrict-jobs.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-jobs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Jobs in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Jobs can be created directly and indirectly via a CronJob controller. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In some cases, users may want to only allow Jobs if they are created via a CronJob. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy restricts Jobs so they may only be created by a CronJob.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-job-from-cronjob</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;not-created-by-cronjob&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!has(object.metadata.ownerReferences) || object.metadata.ownerReferences[0].kind != &#39;CronJob&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Jobs are only allowed if spawned from CronJobs.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml" target="-blank">/other/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-networkpolicy-empty-podselector</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict NetworkPolicy with Empty podSelector</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, Multi-Tenancy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> By default, all pods in a Kubernetes cluster are allowed to communicate with each other, and all </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> network traffic is unencrypted. It is recommended to not use an empty podSelector in order to </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> more closely control the necessary traffic flows. This policy requires that all NetworkPolicies </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> other than that of `default-deny` not use an empty podSelector.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">empty-podselector</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">default-deny</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;NetworkPolicies must not use an empty podSelector.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.podSelector.keys(@) | length(@)}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml" target="-blank">/other-cel/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-networkpolicy-empty-podselector</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict NetworkPolicy with Empty podSelector in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, Multi-Tenancy in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> By default, all pods in a Kubernetes cluster are allowed to communicate with each other, and all </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> network traffic is unencrypted. It is recommended to not use an empty podSelector in order to </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> more closely control the necessary traffic flows. This policy requires that all NetworkPolicies </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> other than that of `default-deny` not use an empty podSelector.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">empty-podselector</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="l">default-deny</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;size(object.spec.podSelector) != 0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;NetworkPolicies must not use an empty podSelector.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/nginx-ingress/restrict-annotations/restrict-annotations/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/nginx-ingress/restrict-annotations/restrict-annotations/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//nginx-ingress/restrict-annotations/restrict-annotations.yaml" target="-blank">/nginx-ingress/restrict-annotations/restrict-annotations.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict NGINX Ingress annotation values </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security, NGINX Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.6.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.6.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> &#34;annotation-value-word-blocklist&#34; configuration setting is also recommended. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> Please refer to the CVE for details. </span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">networking.k8s.io/v1/Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;spec.rules[].http.paths[].path value is not allowed&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.annotations.values(@)[].regex_match(&#39;\\s*alias\\s*.*;&#39;, @)}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="kc">true</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.annotations.values(@)[].regex_match(&#39;\\s*root\\s*.*;&#39;, @)}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="kc">true</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.annotations.values(@)[].regex_match(&#39;/etc/(passwd|shadow|group|nginx|ingress-controller)&#39;, @)}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="kc">true</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.annotations.values(@)[].regex_match(&#39;/var/run/secrets&#39;, @)}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="kc">true</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.annotations.values(@)[].regex_match(&#39;.*_by_lua.*&#39;, @)}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="kc">true</span><span class="p">]</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/nginx-ingress-cel/restrict-annotations/restrict-annotations/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/nginx-ingress-cel/restrict-annotations/restrict-annotations/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml" target="-blank">/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict NGINX Ingress annotation values in CEL expressions </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security, NGINX Ingress in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.11.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.11.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> &#34;annotation-value-word-blocklist&#34; configuration setting is also recommended. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> Please refer to the CVE for details. </span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">networking.k8s.io/v1/Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> !has(object.metadata.annotations) || </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> ( </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches(&#39;\\s*alias\\s*.*;&#39;)) &amp;&amp; </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches(&#39;\\s*root\\s*.*;&#39;)) &amp;&amp; </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches(&#39;/etc/(passwd|shadow|group|nginx|ingress-controller)&#39;)) &amp;&amp; </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches(&#39;/var/run/secrets&#39;)) &amp;&amp; </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches(&#39;.*_by_lua.*&#39;)) </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> )</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;spec.rules[].http.paths[].path value is not allowed&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml" target="-blank">/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-ingress-paths</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict NGINX Ingress path values </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security, NGINX Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.6.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.6.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> Please refer to the CVE for details.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-paths</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">networking.k8s.io/v1/Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;spec.rules[].http.paths[].path value is not allowed&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.rules[].http.paths[].path.contains(@,&#39;/etc&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="kc">true</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.rules[].http.paths[].path.contains(@,&#39;/var/run/secrets&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="kc">true</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.rules[].http.paths[].path.contains(@,&#39;/root&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="kc">true</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.rules[].http.paths[].path.contains(@,&#39;/var/run/kubernetes/serviceaccount&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="kc">true</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.rules[].http.paths[].path.contains(@,&#39;/etc/kubernetes/admin.conf&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="kc">true</span><span class="p">]</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml" target="-blank">/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-ingress-paths</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict NGINX Ingress path values in CEL expressions </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security, NGINX Ingress in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.11.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.11.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> Please refer to the CVE for details.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-paths</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">networking.k8s.io/v1/Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.?rules.orValue([]).all(rule, </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> rule.?http.?paths.orValue([]).all(p, </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> !p.path.contains(&#39;/etc&#39;) &amp;&amp; !p.path.contains(&#39;/var/run/secrets&#39;) &amp;&amp; </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> !p.path.contains(&#39;/root&#39;) &amp;&amp; !p.path.contains(&#39;/var/run/kubernetes/serviceaccount&#39;) &amp;&amp; </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> !p.path.contains(&#39;/etc/kubernetes/admin.conf&#39;)))</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;spec.rules[].http.paths[].path value is not allowed&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-node-affinity/restrict-node-affinity/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-node-affinity/restrict-node-affinity/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-node-affinity/restrict-node-affinity.yaml" target="-blank">/other/restrict-node-affinity/restrict-node-affinity.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-node-affinity</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Node Affinity</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Pods may use several mechanisms to prefer scheduling on a set of nodes, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> and nodeAffinity is one of them. nodeAffinity uses expressions to select </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> eligible nodes for scheduling decisions and may override intended placement </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> options by cluster administrators. This policy ensures that nodeAffinity </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> is not used in a Pod spec.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-nodeaffinity</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Node affinity cannot be used.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">=(affinity)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">X(nodeAffinity)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-node-affinity/restrict-node-affinity/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-node-affinity/restrict-node-affinity/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-node-affinity/restrict-node-affinity.yaml" target="-blank">/other-cel/restrict-node-affinity/restrict-node-affinity.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-node-affinity</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Node Affinity in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Pods may use several mechanisms to prefer scheduling on a set of nodes, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> and nodeAffinity is one of them. nodeAffinity uses expressions to select </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> eligible nodes for scheduling decisions and may override intended placement </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> options by cluster administrators. This policy ensures that nodeAffinity </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> is not used in a Pod spec.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-nodeaffinity</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!object.spec.?affinity.?nodeAffinity.hasValue()&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Node affinity cannot be used.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-node-label-changes/restrict-node-label-changes/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-node-label-changes/restrict-node-label-changes/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-node-label-changes/restrict-node-label-changes.yaml" target="-blank">/other/restrict-node-label-changes/restrict-node-label-changes.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">protect-node-label-foo</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict node label changes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Node, Label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Node labels are critical pieces of metadata upon which many other applications and </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> logic may depend and should not be altered or removed by regular users. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy prevents changes or deletions to a label called `foo` on </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> cluster Nodes. Use of this policy requires removal of the Node resource filter </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> in the Kyverno ConfigMap ([Node,*,*]). Due to Kubernetes CVE-2021-25735, this policy </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> requires, at minimum, one of the following versions of Kubernetes: </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> v1.18.18, v1.19.10, v1.20.6, or v1.21.0.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-label-value-changes</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">allowExistingViolations</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Modifying the `foo` label on a Node is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.labels.foo || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.labels.foo || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.oldObject.metadata.labels.foo || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-label-key-removal</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.oldObject.metadata.labels.foo || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">allowExistingViolations</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Removing the `foo` label on a Node is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">foo</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-node-label-creation/restrict-node-label-creation/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-node-label-creation/restrict-node-label-creation/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-node-label-creation/restrict-node-label-creation.yaml" target="-blank">/other/restrict-node-label-creation/restrict-node-label-creation.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-node-label-creation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict node label creation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Node, Label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Node labels are critical pieces of metadata upon which many other applications and </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> logic may depend and should not be altered or removed by regular users. Many cloud </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> providers also use Node labels to signal specific functions to applications. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy prevents setting of a new label called `foo` on </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> cluster Nodes. Use of this policy requires removal of the Node resource filter </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> in the Kyverno ConfigMap ([Node,*,*]). Due to Kubernetes CVE-2021-25735, this policy </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> requires, at minimum, one of the following versions of Kubernetes: </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> v1.18.18, v1.19.10, v1.20.6, or v1.21.0.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-label-set</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.labels.foo || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Setting the `foo` label on a Node is not allowed.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-node-label-creation/restrict-node-label-creation/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-node-label-creation/restrict-node-label-creation/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-node-label-creation/restrict-node-label-creation.yaml" target="-blank">/other-cel/restrict-node-label-creation/restrict-node-label-creation.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-node-label-creation</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict node label creation in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Node, Label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Node labels are critical pieces of metadata upon which many other applications and </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> logic may depend and should not be altered or removed by regular users. Many cloud </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> providers also use Node labels to signal specific functions to applications. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy prevents setting of a new label called `foo` on </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> cluster Nodes. Use of this policy requires removal of the Node resource filter </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> in the Kyverno ConfigMap ([Node,*,*]). Due to Kubernetes CVE-2021-25735, this policy </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> requires, at minimum, one of the following versions of Kubernetes: </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> v1.18.18, v1.19.10, v1.20.6, or v1.21.0.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prevent-label-set</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Node</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;operation-should-be-update&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.operation == &#39;UPDATE&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has-foo-label&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.metadata.?labels.?foo.hasValue()&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Setting the `foo` label on a Node is not allowed.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-node-selection/restrict-node-selection/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-node-selection/restrict-node-selection/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-node-selection/restrict-node-selection.yaml" target="-blank">/other/restrict-node-selection/restrict-node-selection.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-node-selection</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict node selection</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> The Kubernetes scheduler uses complex logic to determine the optimal placement </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> for new Pods. Users who have access to set certain fields in a Pod spec </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> may sidestep this logic which in many cases is undesirable. This policy </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> prevents users from targeting specific Nodes for scheduling of Pods by </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> prohibiting the use of the `nodeSelector` and `nodeName` fields. Note that </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> this policy is only designed to work on initial creation and not in background </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> mode.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-nodeselector</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Setting the nodeSelector field is prohibited.</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">X(nodeSelector)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-nodename</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Setting the nodeName field is prohibited.</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">X(nodeName)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;null&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml" target="-blank">/other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-pod-controller-serviceaccount-updates</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Pod Controller ServiceAccount Updates</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">Medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> ServiceAccounts which have the ability to edit/patch workloads which they created </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> may potentially use that privilege to update to a different ServiceAccount with higher </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> privileges. This policy, intended to be run in `enforce` mode, blocks updates </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> to Pod controllers if those updates modify the serviceAccountName field. Updates to Pods </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> directly for this field are not possible as it is immutable once set.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-serviceaccount-updates</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">ReplicaSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">ReplicationController</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> The serviceAccountName field may not be changed once created.</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.template.spec.serviceAccountName || &#39;empty&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.oldObject.spec.template.spec.serviceAccountName || &#39;empty&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-serviceaccount-updates-cronjob</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="l">CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="sd"> The serviceAccountName field may not be changed once created.</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.jobTemplate.spec.template.spec.serviceAccountName || &#39;empty&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.oldObject.spec.jobTemplate.spec.template.spec.serviceAccountName || &#39;empty&#39;}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml" target="-blank">/other-cel/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-pod-controller-serviceaccount-updates</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Pod Controller ServiceAccount Updates in CEL Expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">Medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> ServiceAccounts which have the ability to edit/patch workloads which they created </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> may potentially use that privilege to update to a different ServiceAccount with higher </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> privileges. This policy, intended to be run in `enforce` mode, blocks updates </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> to Pod controllers if those updates modify the serviceAccountName field. Updates to Pods </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> directly for this field are not possible as it is immutable once set.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-serviceaccount-updates</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Job</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">ReplicaSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">ReplicationController</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;operation-should-be-update&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.operation == &#39;UPDATE&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> object.spec.template.spec.?serviceAccountName.orValue(&#39;empty&#39;) == oldObject.spec.template.spec.?serviceAccountName.orValue(&#39;empty&#39;)</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> The serviceAccountName field may not be changed once created.</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-serviceaccount-updates-cronjob</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="l">CronJob</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;operation-should-be-update&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.operation == &#39;UPDATE&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="sd"> object.spec.jobTemplate.spec.template.spec.?serviceAccountName.orValue(&#39;empty&#39;) == oldObject.spec.jobTemplate.spec.template.spec.?serviceAccountName.orValue(&#39;empty&#39;)</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="sd"> The serviceAccountName field may not be changed once created.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-pod-count-per-node/restrict-pod-count-per-node/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-pod-count-per-node/restrict-pod-count-per-node/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-pod-count-per-node/restrict-pod-count-per-node.yaml" target="-blank">/other/restrict-pod-count-per-node/restrict-pod-count-per-node.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-pod-count</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Pod Count per Node</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Sometimes Kubernetes Nodes may have a maximum number of Pods they can accommodate due to </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> resources outside CPU and memory such as licensing, or in some </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> development cases. This policy restricts Pod count on a Node named `minikube` to be no more than 10.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="c"># pod-policies.kyverno.io/autogen-controllers: none</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-pod-count</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">podcounts</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/pods&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?spec.nodeName==&#39;minikube&#39;] | length(@)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;CREATE&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;A maximum of 10 Pods are allowed on the Node `minikube`&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ podcounts }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">10</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psp-migration/restrict-runtimeclassname/restrict-runtimeclassname/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psp-migration/restrict-runtimeclassname/restrict-runtimeclassname/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psp-migration/restrict-runtimeClassName/restrict-runtimeClassName.yaml" target="-blank">/psp-migration/restrict-runtimeClassName/restrict-runtimeClassName.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-runtimeclass</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict runtimeClass</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">PSP Migration</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.10.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> The runtimeClass field of a Pod spec defines which container engine runtime should be used. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In the previous Pod Security Policy controller, defining restrictions on which classes were allowed </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> was permitted. Limiting runtime classes to only those which have been defined can prevent </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> unintended running states or Pods which may not come online. This policy restricts the runtimeClass </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> field to the values `prodclass` or `expclass`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prodclass-or-expclass</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Only the runtime classes prodclass or expclass may be used.</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">=(spec)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">=(runtimeClassName)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;prodclass | expclass&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/psp-migration-cel/restrict-runtimeclassname/restrict-runtimeclassname/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/psp-migration-cel/restrict-runtimeclassname/restrict-runtimeclassname/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//psp-migration-cel/restrict-runtimeClassName/restrict-runtimeClassName.yaml" target="-blank">/psp-migration-cel/restrict-runtimeClassName/restrict-runtimeClassName.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-runtimeclass</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict runtimeClass in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">PSP Migration in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> The runtimeClass field of a Pod spec defines which container engine runtime should be used. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In the previous Pod Security Policy controller, defining restrictions on which classes were allowed </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> was permitted. Limiting runtime classes to only those which have been defined can prevent </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> unintended running states or Pods which may not come online. This policy restricts the runtimeClass </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> field to the values `prodclass` or `expclass`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prodclass-or-expclass</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;operation-should-be-create&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.operation == &#39;CREATE&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!has(object.spec.runtimeClassName) || object.spec.runtimeClassName in [&#39;prodclass&#39;, &#39;expclass&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Only the runtime classes prodclass or expclass may be used.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-scale/restrict-scale/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-scale/restrict-scale/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-scale/restrict-scale.yaml" target="-blank">/other/restrict-scale/restrict-scale.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-scale</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Scale</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pod controllers such as Deployments which implement replicas and permit the scale action </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> use a `/scale` subresource to control this behavior. In addition to checks for creations of </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> such controllers that their replica is in a certain shape, the scale operation and subresource </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> needs to be accounted for as well. This policy, operable beginning in Kyverno 1.9, is a collection </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> of rules which can be used to limit the replica count both upon creation of a Deployment and </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> when a scale operation is performed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="c"># This rule can be used to limit scale operations based upon Deployment labels assuming the given label</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="c"># is also used as a selector.</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">scale-max-eight</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment/scale</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The replica count for this Deployment may not exceed 8.</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">(status)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">(selector)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*type=monitoring*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="l">&lt;9</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="c"># This rule can be used for more advanced decision making, for example limiting scale based</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="c"># upon Deployment annotations which are not sent by the API server to admission controllers</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="c"># when a scale is performed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">scale-max-eight-annotations</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment/scale</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">parentdeploy</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/apps/v1/namespaces/{{request.namespace}}/deployments?fieldSelector=metadata.name={{request.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[0]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">dept</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">parentdeploy.metadata.annotations.&#34;corp.org/dept&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="l">empty</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The replica count for this Deployment may not exceed 8.</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{dept}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">engineering</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.replicas}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">8</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="c"># This rule, which is a simple check on Deployments for replicas (not scaling them) can be used</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="c"># to complement scale operations. This may be needed along with at least one of the prior two rules</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="c"># to fully limit the number of total replicas allowed. For example, this rule would limit creation of</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="c"># Deployments to no more than 4 replicas, without an additional rule for scaling it would not prevent</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="c"># scaling over 4. By combining this CREATE rule with one of the scale rules above, a cluster admin</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="c"># may effectively provide an allowed range of replicas good for both day1 and day2 operations.</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">create-max-four</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">monitoring</span><span class="w"> </span></span></span><span class="line"><span class="ln">83</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">84</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The replica count for this Deployment may not exceed 4.</span><span class="w"> </span></span></span><span class="line"><span class="ln">85</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">86</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">87</span><span class="cl"><span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="l">&lt;5</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/restrict-seccomp/restrict-seccomp/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/restrict-seccomp/restrict-seccomp/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml" target="-blank">/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-seccomp</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Seccomp</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> The seccomp profile must not be explicitly set to Unconfined. This policy, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> requiring Kubernetes v1.19 or later, ensures that seccomp is unset or </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> set to `RuntimeDefault` or `Localhost`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-seccomp</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="sd"> Use of custom Seccomp profiles is disallowed. The fields </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> spec.securityContext.seccompProfile.type, </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> spec.containers[*].securityContext.seccompProfile.type, </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.seccompProfile.type, and </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> spec.ephemeralContainers[*].securityContext.seccompProfile.type </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> must be unset or set to `RuntimeDefault` or `Localhost`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">=(seccompProfile)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">=(type)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;RuntimeDefault | Localhost&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">=(seccompProfile)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">=(type)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;RuntimeDefault | Localhost&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">=(seccompProfile)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">=(type)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;RuntimeDefault | Localhost&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">=(seccompProfile)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">=(type)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;RuntimeDefault | Localhost&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml" target="-blank">/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-seccomp-strict</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Seccomp (Strict)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> The seccomp profile in the Restricted group must not be explicitly set to Unconfined </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> but additionally must also not allow an unset value. This policy, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> requiring Kubernetes v1.19 or later, ensures that seccomp is </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-seccomp-strict</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> Use of custom Seccomp profiles is disallowed. The fields </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> spec.securityContext.seccompProfile.type, </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> spec.containers[*].securityContext.seccompProfile.type, </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.seccompProfile.type, and </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> spec.ephemeralContainers[*].securityContext.seccompProfile.type </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> must be set to `RuntimeDefault` or `Localhost`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">anyPattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">seccompProfile</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;RuntimeDefault | Localhost&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">=(seccompProfile)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">=(type)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;RuntimeDefault | Localhost&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">=(seccompProfile)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">=(type)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;RuntimeDefault | Localhost&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">=(seccompProfile)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">=(type)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;RuntimeDefault | Localhost&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">seccompProfile</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;RuntimeDefault | Localhost&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">seccompProfile</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;RuntimeDefault | Localhost&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">seccompProfile</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;RuntimeDefault | Localhost&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml" target="-blank">/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-seccomp-strict</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Seccomp (Strict) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The seccomp profile in the Restricted group must not be explicitly set to Unconfined </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> but additionally must also not allow an unset value. This policy, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> requiring Kubernetes v1.19 or later, ensures that seccomp is </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-seccomp-strict</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>!<span class="l">object.spec.?securityContext.?seccompProfile.?type.hasValue() ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="l">object.spec.securityContext.seccompProfile.type == &#39;RuntimeDefault&#39; ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="l">object.spec.securityContext.seccompProfile.type == &#39;Localhost&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> Use of custom Seccomp profiles is disallowed. The field </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> spec.securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="l">object.spec.containers.all(container,</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>!<span class="l">container.?securityContext.?seccompProfile.?type.hasValue() ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="l">container.securityContext.seccompProfile.type == &#39;RuntimeDefault&#39; ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="l">container.securityContext.seccompProfile.type == &#39;Localhost&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="l">)</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="sd"> Use of custom Seccomp profiles is disallowed. The field </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="sd"> spec.containers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="l">object.spec.?initContainers.orValue([]).all(container,</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>!<span class="l">container.?securityContext.?seccompProfile.?type.hasValue() ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="l">container.securityContext.seccompProfile.type == &#39;RuntimeDefault&#39; ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="l">container.securityContext.seccompProfile.type == &#39;Localhost&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="l">)</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="sd"> Use of custom Seccomp profiles is disallowed. The field </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="l">object.spec.?ephemeralContainers.orValue([]).all(container,</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span>!<span class="l">container.?securityContext.?seccompProfile.?type.hasValue() ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="l">container.securityContext.seccompProfile.type == &#39;RuntimeDefault&#39; ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="l">container.securityContext.seccompProfile.type == &#39;Localhost&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="l">)</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="sd"> Use of custom Seccomp profiles is disallowed. The field </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="sd"> spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/restricted/restrict-seccomp-strict/restrict-seccomp-strict/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/restricted/restrict-seccomp-strict/restrict-seccomp-strict/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml" target="-blank">/pod-security-vpol/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-seccomp-strict</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Seccomp (Strict) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The seccomp profile in the Restricted group must not be explicitly set to Unconfined </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> but additionally must also not allow an unset value. This policy, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> requiring Kubernetes v1.30 or later, ensures that seccomp is </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="l">object.spec.?securityContext.?seccompProfile.?type.orValue(&#39;RuntimeDefault&#39;) in [&#39;RuntimeDefault&#39;, &#39;Localhost&#39;]</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="cp">&amp;&amp;</span><span class="w"> </span><span class="l">variables.allContainers.all(container, </span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="l">container.?securityContext.?seccompProfile.?type.orValue(&#39;RuntimeDefault&#39;) in [&#39;RuntimeDefault&#39;, &#39;Localhost&#39;])</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> seccompProfile.type must be either &#39;RuntimeDefault&#39; or &#39;Localhost&#39;.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml" target="-blank">/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-seccomp</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Seccomp in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The seccomp profile must not be explicitly set to Unconfined. This policy, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> requiring Kubernetes v1.19 or later, ensures that seccomp is unset or </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> set to `RuntimeDefault` or `Localhost`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-seccomp</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowedProfileTypes</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;RuntimeDefault&#39;, &#39;Localhost&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="l">(object.spec.?securityContext.?seccompProfile.?type.orValue(&#39;Localhost&#39;) </span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="l">in variables.allowedProfileTypes) &amp;&amp; </span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="l">(variables.allContainers.all(container, </span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="l">container.?securityContext.?seccompProfile.?type.orValue(&#39;Localhost&#39;) </span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="l">in variables.allowedProfileTypes))</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> Use of custom Seccomp profiles is disallowed. The field </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> spec.containers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/restrict-seccomp/restrict-seccomp/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/restrict-seccomp/restrict-seccomp/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/baseline/restrict-seccomp/restrict-seccomp.yaml" target="-blank">/pod-security-vpol/baseline/restrict-seccomp/restrict-seccomp.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-seccomp</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Seccomp in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The seccomp profile must not be explicitly set to Unconfined. This policy, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> requiring Kubernetes v1.30 or later, ensures that seccomp is unset or </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> set to `RuntimeDefault` or `Localhost`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> object.spec.containers + </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> object.spec.?initContainers.orValue([]) + </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> object.spec.?ephemeralContainers.orValue([])</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowedProfileTypes</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;RuntimeDefault&#39;, &#39;Localhost&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hasValidSeccompProfile</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> object.spec.?securityContext.?seccompProfile.?type.orValue(&#39;Localhost&#39;) in variables.allowedProfileTypes</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> variables.hasValidSeccompProfile &amp;&amp; </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> container.?securityContext.?seccompProfile.?type.orValue(&#39;Localhost&#39;) in variables.allowedProfileTypes)</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="sd"> Use of custom Seccomp profiles is disallowed. The field </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="sd"> `securityContext.seccompProfile.type` must be unset or set to `RuntimeDefault` or `Localhost`.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-secret-role-verbs/restrict-secret-role-verbs/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-secret-role-verbs/restrict-secret-role-verbs/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml" target="-blank">/other/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-secret-role-verbs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Secret Verbs in Roles</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Role, ClusterRole, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The verbs `get`, `list`, and `watch` in a Role or ClusterRole, when paired with the Secrets resource, effectively </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> allows Secrets to be read which may expose sensitive information. This policy prevents </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> a Role or ClusterRole from using these verbs in tandem with Secret resources. In order to </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> fully implement this control, it is recommended to pair this policy with another which </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> also prevents use of the wildcard (&#39;*&#39;) in the verbs list either when explicitly naming Secrets </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> or when also using a wildcard in the base API group.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secret-verbs</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Requesting verbs `get`, `list`, or `watch` on Secrets is forbidden.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;get&#34;</span><span class="p">,</span><span class="s2">&#34;list&#34;</span><span class="p">,</span><span class="s2">&#34;watch&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.rules[?resources.contains(@,&#39;secrets&#39;)].verbs[] }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-secret-role-verbs/restrict-secret-role-verbs/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-secret-role-verbs/restrict-secret-role-verbs/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml" target="-blank">/other-cel/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-secret-role-verbs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Secret Verbs in Roles in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Role, ClusterRole, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The verbs `get`, `list`, and `watch` in a Role or ClusterRole, when paired with the Secrets resource, effectively </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> allows Secrets to be read which may expose sensitive information. This policy prevents </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> a Role or ClusterRole from using these verbs in tandem with Secret resources. In order to </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> fully implement this control, it is recommended to pair this policy with another which </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> also prevents use of the wildcard (&#39;*&#39;) in the verbs list either when explicitly naming Secrets </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> or when also using a wildcard in the base API group.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secret-verbs</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">forbiddenVerbs</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;get&#39;,&#39;list&#39;,&#39;watch&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> object.rules == null || </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> !object.rules.exists(rule, </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> &#39;secrets&#39; in rule.resources &amp;&amp; rule.verbs.exists(verb, verb in variables.forbiddenVerbs))</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Requesting verbs `get`, `list`, or `watch` on Secrets is forbidden.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-secrets-by-label/restrict-secrets-by-label/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-secrets-by-label/restrict-secrets-by-label/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-secrets-by-label/restrict-secrets-by-label.yaml" target="-blank">/other/restrict-secrets-by-label/restrict-secrets-by-label.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-secrets-by-label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Secrets by Label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 14</span><span class="cl"><span class="sd"> Secrets often contain sensitive information and their access should be carefully controlled. </span></span></span><span class="line"><span class="ln"> 15</span><span class="cl"><span class="sd"> Although Kubernetes RBAC can be effective at restricting them in several ways, </span></span></span><span class="line"><span class="ln"> 16</span><span class="cl"><span class="sd"> it lacks the ability to use labels on referenced entities. This policy ensures </span></span></span><span class="line"><span class="ln"> 17</span><span class="cl"><span class="sd"> that only Secrets not labeled with `status=protected` can be consumed by Pods.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secrets-lookup-from-env</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 30</span><span class="cl"><span class="w"> </span><span class="c"># check if any secrets are in env statements</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.[containers, initContainers, ephemeralContainers][].env[].valueFrom.secretKeyRef || &#39;&#39; | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">These Secrets are restricted.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 39</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 40</span><span class="cl"><span class="w"> </span><span class="c"># get every secret, then do an API lookup on each one checking for the `status` label.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 41</span><span class="cl"><span class="w"> </span><span class="c"># deny the request if any of those secrets have `status=protected`.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 42</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.[containers, initContainers, ephemeralContainers][].env[].valueFrom.secretKeyRef&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 43</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 44</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">status</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 45</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 46</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;metadata.labels.status || &#39;&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 47</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{request.namespace}}/secrets/{{element.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 48</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 49</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 50</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 51</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ status }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 52</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 53</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">protected</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 54</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secrets-lookup-from-envfrom</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 55</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 56</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 57</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 58</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 59</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 60</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 61</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 62</span><span class="cl"><span class="w"> </span><span class="c"># check if any secrets are in envfrom statements</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 63</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.[containers, initContainers, ephemeralContainers][].envFrom[].secretRef || &#39;&#39; | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 64</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 65</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 66</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 67</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 68</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 69</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 70</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">These Secrets are restricted.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 71</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 72</span><span class="cl"><span class="w"> </span><span class="c"># get every secret, then do an API lookup on each one checking for the `status` label.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 73</span><span class="cl"><span class="w"> </span><span class="c"># deny the request if any of those secrets have `status=protected`.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 74</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.[containers, initContainers, ephemeralContainers][].envFrom[].secretRef&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 75</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 76</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">status</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 77</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 78</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;metadata.labels.status || &#39;&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 79</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{request.namespace}}/secrets/{{element.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 80</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 81</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 82</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 83</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ status }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 84</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 85</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">protected</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 86</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secrets-lookup-from-volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 87</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 88</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 89</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 90</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 91</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 92</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 93</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 94</span><span class="cl"><span class="w"> </span><span class="c"># check if any secrets are in volume statements</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 95</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.volumes[].secret || &#39;&#39; | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 96</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 97</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 98</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 99</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">100</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">101</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">102</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">These Secrets are restricted.</span><span class="w"> </span></span></span><span class="line"><span class="ln">103</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">104</span><span class="cl"><span class="w"> </span><span class="c"># get every secret, then do an API lookup on each one checking for the `status` label.</span><span class="w"> </span></span></span><span class="line"><span class="ln">105</span><span class="cl"><span class="w"> </span><span class="c"># deny the request if any of those secrets have `status=protected`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">106</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.volumes[].secret&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">107</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">108</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">status</span><span class="w"> </span></span></span><span class="line"><span class="ln">109</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">110</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;metadata.labels.status || &#39;&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">111</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/api/v1/namespaces/{{request.namespace}}/secrets/{{element.secretName}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">112</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">113</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">114</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">115</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ status }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">116</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">117</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">protected</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-secrets-by-name/restrict-secrets-by-name/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-secrets-by-name/restrict-secrets-by-name/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-secrets-by-name/restrict-secrets-by-name.yaml" target="-blank">/other/restrict-secrets-by-name/restrict-secrets-by-name.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-secrets-by-name</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Secrets by Name</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.21&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln"> 12</span><span class="cl"><span class="sd"> Secrets often contain sensitive information and their access should be carefully controlled. </span></span></span><span class="line"><span class="ln"> 13</span><span class="cl"><span class="sd"> Although Kubernetes RBAC can be effective at restricting them in several ways, </span></span></span><span class="line"><span class="ln"> 14</span><span class="cl"><span class="sd"> it lacks the ability to use wildcards in resource names. This policy ensures </span></span></span><span class="line"><span class="ln"> 15</span><span class="cl"><span class="sd"> that only Secrets beginning with the name `safe-` can be consumed by Pods. </span></span></span><span class="line"><span class="ln"> 16</span><span class="cl"><span class="sd"> In order to work effectively, this policy needs to be paired with a separate policy </span></span></span><span class="line"><span class="ln"> 17</span><span class="cl"><span class="sd"> or rule to require `automountServiceAccountToken=false` since this would otherwise </span></span></span><span class="line"><span class="ln"> 18</span><span class="cl"><span class="sd"> result in a Secret being mounted.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-secrets-from-env</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 29</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 30</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 31</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 32</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 33</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 34</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 35</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 36</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Only Secrets beginning with `safe-` may be consumed in env statements.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 38</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 39</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 40</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 41</span><span class="cl"><span class="w"> </span>- <span class="nt">=(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 42</span><span class="cl"><span class="w"> </span><span class="nt">=(env)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 43</span><span class="cl"><span class="w"> </span>- <span class="nt">=(valueFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 44</span><span class="cl"><span class="w"> </span><span class="nt">=(secretKeyRef)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 45</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-*</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 46</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 47</span><span class="cl"><span class="w"> </span>- <span class="nt">=(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 48</span><span class="cl"><span class="w"> </span><span class="nt">=(env)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 49</span><span class="cl"><span class="w"> </span>- <span class="nt">=(valueFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 50</span><span class="cl"><span class="w"> </span><span class="nt">=(secretKeyRef)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 51</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-*</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 52</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 53</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 54</span><span class="cl"><span class="w"> </span><span class="nt">=(env)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 55</span><span class="cl"><span class="w"> </span>- <span class="nt">=(valueFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 56</span><span class="cl"><span class="w"> </span><span class="nt">=(secretKeyRef)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 57</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-*</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 58</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-secrets-from-envfrom</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 59</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 60</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 61</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 62</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 63</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 64</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 65</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 66</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 67</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 68</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 69</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 70</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 71</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 72</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Only Secrets beginning with `safe-` may be consumed in envFrom statements.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 73</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 74</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 75</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 76</span><span class="cl"><span class="w"> </span>- <span class="nt">=(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 77</span><span class="cl"><span class="w"> </span><span class="nt">=(envFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 78</span><span class="cl"><span class="w"> </span>- <span class="nt">=(secretRef)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 79</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-*</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 80</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 81</span><span class="cl"><span class="w"> </span>- <span class="nt">=(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 82</span><span class="cl"><span class="w"> </span><span class="nt">=(envFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 83</span><span class="cl"><span class="w"> </span>- <span class="nt">=(secretRef)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 84</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-*</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 85</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 86</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 87</span><span class="cl"><span class="w"> </span><span class="nt">=(envFrom)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 88</span><span class="cl"><span class="w"> </span>- <span class="nt">=(secretRef)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 89</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-*</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 90</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-secrets-from-volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 91</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 92</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 93</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 94</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 95</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 96</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 97</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 98</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 99</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">100</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">101</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">102</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">103</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">104</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Only Secrets beginning with `safe-` may be consumed in volumes.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">105</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">106</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">107</span><span class="cl"><span class="w"> </span><span class="nt">=(volumes)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">108</span><span class="cl"><span class="w"> </span>- <span class="nt">=(secret)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">109</span><span class="cl"><span class="w"> </span><span class="nt">secretName</span><span class="p">:</span><span class="w"> </span><span class="l">safe-*</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-secrets-by-name/restrict-secrets-by-name/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-secrets-by-name/restrict-secrets-by-name/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-secrets-by-name/restrict-secrets-by-name.yaml" target="-blank">/other-cel/restrict-secrets-by-name/restrict-secrets-by-name.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-secrets-by-name</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Secrets by Name in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod, Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Secrets often contain sensitive information and their access should be carefully controlled. </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Although Kubernetes RBAC can be effective at restricting them in several ways, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> it lacks the ability to use wildcards in resource names. This policy ensures </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> that only Secrets beginning with the name `safe-` can be consumed by Pods. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> In order to work effectively, this policy needs to be paired with a separate policy </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> or rule to require `automountServiceAccountToken=false` since this would otherwise </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> result in a Secret being mounted.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-secrets-from-env</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> container.?env.orValue([]).all(env, </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> env.?valueFrom.?secretKeyRef.?name.orValue(&#39;safe-&#39;).startsWith(&#34;safe-&#34;)))</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Only Secrets beginning with `safe-` may be consumed in env statements.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-secrets-from-envfrom</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allContainers</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="sd"> variables.allContainers.all(container, </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="sd"> container.?envFrom.orValue([]).all(env, </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="sd"> env.?secretRef.?name.orValue(&#39;safe-&#39;).startsWith(&#34;safe-&#34;)))</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Only Secrets beginning with `safe-` may be consumed in envFrom statements.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">safe-secrets-from-volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="sd"> object.spec.?volumes.orValue([]).all(volume, </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="sd"> volume.?secret.?secretName.orValue(&#39;safe-&#39;).startsWith(&#34;safe-&#34;))</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Only Secrets beginning with `safe-` may be consumed in volumes.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-service-account/restrict-service-account/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-service-account/restrict-service-account/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-service-account/restrict-service-account.yaml" target="-blank">/other/restrict-service-account/restrict-service-account.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-service-account</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Service Account</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Users may be able to specify any ServiceAccount which exists in their Namespace without </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> restrictions. Confining Pods to a list of authorized ServiceAccounts can be useful to </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> ensure applications in those Pods do not have more privileges than they should. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy verifies that in the `staging` Namespace the ServiceAccount being </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> specified is matched based on the image and name of the container. For example: </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> &#39;sa-name: [&#34;registry/image-name&#34;]&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-service-account</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">saMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">configMap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">sa-map</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">staging</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="l">staging</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Invalid service account {{ request.object.spec.serviceAccountName }} for image {{ images.containers.*.registry | [0] }}/{{ images.containers.*.name | [0] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ images.containers.*.registry | [0] }}/{{ images.containers.*.name | [0] }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ saMap.data.\&#34;{{ request.object.spec.serviceAccountName }}\&#34; }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-service-port-range/restrict-service-port-range/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-service-port-range/restrict-service-port-range/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-service-port-range/restrict-service-port-range.yaml" target="-blank">/other/restrict-service-port-range/restrict-service-port-range.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-service-port-range</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Service Port Range</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Services which are allowed to expose any port number may be able </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to impact other applications running on the Node which require them, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> or may make specifying security policy externally more challenging. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy enforces that only the port range 32000 to 33000 may </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> be used for Service resources.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-port-range</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Ports must be between 32000-33000</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">32000-33000</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-service-port-range/restrict-service-port-range/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-service-port-range/restrict-service-port-range/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-service-port-range/restrict-service-port-range.yaml" target="-blank">/other-cel/restrict-service-port-range/restrict-service-port-range.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-service-port-range</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Service Port Range in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Services which are allowed to expose any port number may be able </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to impact other applications running on the Node which require them, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> or may make specifying security policy externally more challenging. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy enforces that only the port range 32000 to 33000 may </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> be used for Service resources.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-port-range</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.ports.all(p, p.port &gt;= 32000 &amp;&amp; p.port &lt;= 33000)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">Ports must be between 32000-33000</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-storageclass/restrict-storageclass/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-storageclass/restrict-storageclass/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-storageclass/restrict-storageclass.yaml" target="-blank">/other/restrict-storageclass/restrict-storageclass.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-storageclass</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict StorageClass</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, Multi-Tenancy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">StorageClass</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> StorageClasses allow description of custom &#34;classes&#34; of storage offered </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> by the cluster, based on quality-of-service levels, backup policies, or </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> custom policies determined by the cluster administrators. For shared StorageClasses </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> in a multi-tenancy environment, a reclaimPolicy of `Delete` should be used to ensure </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> a PersistentVolume cannot be reused across Namespaces. This policy requires </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> StorageClasses set a reclaimPolicy of `Delete`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">storageclass-delete</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">StorageClass</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;StorageClass must define a reclaimPolicy of Delete.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">reclaimPolicy</span><span class="p">:</span><span class="w"> </span><span class="l">Delete</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-storageclass/restrict-storageclass/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-storageclass/restrict-storageclass/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-storageclass/restrict-storageclass.yaml" target="-blank">/other-cel/restrict-storageclass/restrict-storageclass.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-storageclass</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict StorageClass in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other, Multi-Tenancy in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">StorageClass</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> StorageClasses allow description of custom &#34;classes&#34; of storage offered </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> by the cluster, based on quality-of-service levels, backup policies, or </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> custom policies determined by the cluster administrators. For shared StorageClasses </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> in a multi-tenancy environment, a reclaimPolicy of `Delete` should be used to ensure </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> a PersistentVolume cannot be reused across Namespaces. This policy requires </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> StorageClasses set a reclaimPolicy of `Delete`.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">storageclass-delete</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">StorageClass</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.reclaimPolicy == &#39;Delete&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;StorageClass must define a reclaimPolicy of Delete.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/restrict-sysctls/restrict-sysctls/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/baseline/restrict-sysctls/restrict-sysctls/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml" target="-blank">/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-sysctls</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict sysctls</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Sysctls can disable security mechanisms or affect all containers on a </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> host, and should be disallowed except for an allowed &#34;safe&#34; subset. A </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> sysctl is considered safe if it is namespaced in the container or the </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> Pod, and it is isolated from other Pods or processes on the same Node. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy ensures that only those &#34;safe&#34; subsets can be specified in </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> a Pod.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-sysctls</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> Setting additional sysctls above the allowed type is disallowed. </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> The field spec.securityContext.sysctls must be unset or not use any other names </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range, </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> net.ipv4.ping_group_range.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">=(sysctls)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">=(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.ip_unprivileged_port_start | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml" target="-blank">/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-sysctls</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict sysctls in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Sysctls can disable security mechanisms or affect all containers on a </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> host, and should be disallowed except for an allowed &#34;safe&#34; subset. A </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> sysctl is considered safe if it is namespaced in the container or the </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> Pod, and it is isolated from other Pods or processes on the same Node. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> This policy ensures that only those &#34;safe&#34; subsets can be specified in </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> a Pod.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-sysctls</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowedSysctls</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;kernel.shm_rmid_forced&#39;,&#39;net.ipv4.ip_local_port_range&#39;,&#39;net.ipv4.ip_unprivileged_port_start&#39;,&#39;net.ipv4.tcp_syncookies&#39;,&#39;net.ipv4.ping_group_range&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="l">object.spec.?securityContext.?sysctls.orValue([]).all(sysctl, sysctl == &#39;&#39; ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="l">has(sysctl.name) &amp;&amp; sysctl.name in variables.allowedSysctls)</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> Setting additional sysctls above the allowed type is disallowed. </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> The field spec.securityContext.sysctls must be unset or not use any other names </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range, </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="sd"> net.ipv4.ping_group_range.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/restrict-sysctls/restrict-sysctls/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/baseline/restrict-sysctls/restrict-sysctls/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/baseline/restrict-sysctls/restrict-sysctls.yaml" target="-blank">/pod-security-vpol/baseline/restrict-sysctls/restrict-sysctls.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-sysctls</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict sysctls in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Baseline) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Sysctls can disable security mechanisms or affect all containers on a </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> host, and should be disallowed except for an allowed &#34;safe&#34; subset. A </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> sysctl is considered safe if it is namespaced in the container or the </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> Pod, and it is isolated from other Pods or processes on the same Node. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> This policy ensures that only those &#34;safe&#34; subsets can be specified in </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> a Pod.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowedSysctls</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;[&#39;kernel.shm_rmid_forced&#39;,&#39;net.ipv4.ip_local_port_range&#39;,&#39;net.ipv4.ip_unprivileged_port_start&#39;,&#39;net.ipv4.tcp_syncookies&#39;,&#39;net.ipv4.ping_group_range&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> object.spec.?securityContext.?sysctls.orValue([]).all(sysctl, </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> sysctl.?name.orValue(&#39;&#39;) in variables.allowedSysctls)</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> Setting additional sysctls above the allowed type is disallowed. </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> The field spec.securityContext.sysctls must be unset or not use any other names </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range, </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="sd"> net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> net.ipv4.ping_group_range.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml" target="-blank">/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-virtual-service-wildcard</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Virtual Service Host with Wildcards</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">VirtualService</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Virtual Services optionally accept a wildcard as an alternative </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> to precise matching. In some cases, this may be too permissive as it </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> would direct unintended traffic to the given resource. This </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> policy enforces that any Virtual Service host does not contain a wildcard </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> character and allows for more governance when a single mesh deployment </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> model is used.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">block-virtual-service-wildcard</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">VirtualService</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Wildcards are not permitted as hosts.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.hosts&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ contains(element, &#39;*&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/restricted/restrict-volume-types/restrict-volume-types/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/restricted/restrict-volume-types/restrict-volume-types/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml" target="-blank">/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-volume-types</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Volume Types</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,Volume</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In addition to restricting HostPath volumes, the restricted pod security profile </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> limits usage of non-core volume types to those defined through PersistentVolumes. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy blocks any other type of volume other than those in the allow list.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restricted-volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> Only the following types of volumes may be used: configMap, csi, downwardAPI, </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.volumes[].keys(@)[] || &#39;&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="l">name</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">configMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">csi</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">downwardAPI</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="l">emptyDir</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="l">ephemeral</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="l">persistentVolumeClaim</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">projected</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="l">secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="s1">&#39;&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml" target="-blank">/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-volume-types</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Volume Types in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted) in CEL</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,Volume</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In addition to restricting HostPath volumes, the restricted pod security profile </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> limits usage of non-core volume types to those defined through PersistentVolumes. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy blocks any other type of volume other than those in the allow list.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restricted-volumes</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>!<span class="l">has(object.spec.volumes) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="l">object.spec.volumes.all(vol, has(vol.configMap) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="l">has(vol.csi) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="l">has(vol.downwardAPI) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="l">has(vol.emptyDir) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="l">has(vol.ephemeral) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="l">has(vol.persistentVolumeClaim) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="l">has(vol.projected) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="l">has(vol.secret))</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> Only the following types of volumes may be used: configMap, csi, downwardAPI, </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="sd"> emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/restricted/restrict-volume-types/restrict-volume-types/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security-vpol/restricted/restrict-volume-types/restrict-volume-types/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security-vpol/restricted/restrict-volume-types/restrict-volume-types.yaml" target="-blank">/pod-security-vpol/restricted/restrict-volume-types/restrict-volume-types.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-volume-types</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Volume Types in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security Standards (Restricted) in ValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod,Volume</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.30+&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> In addition to restricting HostPath volumes, the restricted pod security profile </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> limits usage of non-core volume types to those defined through PersistentVolumes. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy blocks any other type of volume other than those in the allow list.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="l">&gt;- </span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>!<span class="l">has(object.spec.volumes) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="l">object.spec.volumes.all(vol, has(vol.configMap) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="l">has(vol.csi) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="l">has(vol.downwardAPI) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="l">has(vol.emptyDir) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="l">has(vol.ephemeral) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="l">has(vol.persistentVolumeClaim) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="l">has(vol.projected) ||</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="l">has(vol.secret))</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> Only the following types of volumes may be used: configMap, csi, downwardAPI, </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-wildcard-verbs/restrict-wildcard-verbs/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-wildcard-verbs/restrict-wildcard-verbs/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml" target="-blank">/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-wildcard-verbs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Wildcard in Verbs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Role, ClusterRole, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Wildcards (&#39;*&#39;) in verbs grants all access to the resources referenced by it and </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> does not follow the principal of least privilege. As much as possible, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> avoid such open verbs unless scoped to perhaps a custom API group. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy blocks any Role or ClusterRole that contains a wildcard entry in </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> the verbs list found in any rule.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">wildcard-verbs</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of a wildcard (&#39;*&#39;) in any verbs is forbidden.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ contains(to_array(request.object.rules[].verbs[]), &#39;*&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-wildcard-verbs/restrict-wildcard-verbs/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-wildcard-verbs/restrict-wildcard-verbs/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml" target="-blank">/other-cel/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-wildcard-verbs</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Wildcard in Verbs in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Role, ClusterRole, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Wildcards (&#39;*&#39;) in verbs grants all access to the resources referenced by it and </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> does not follow the principal of least privilege. As much as possible, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> avoid such open verbs unless scoped to perhaps a custom API group. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy blocks any Role or ClusterRole that contains a wildcard entry in </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> the verbs list found in any rule.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">wildcard-verbs</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.rules == null || !object.rules.exists(rule, &#39;*&#39; in rule.verbs)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of a wildcard (&#39;*&#39;) in any verbs is forbidden.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-wildcard-resources/restrict-wildcard-resources/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-wildcard-resources/restrict-wildcard-resources/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-wildcard-resources/restrict-wildcard-resources.yaml" target="-blank">/other/restrict-wildcard-resources/restrict-wildcard-resources.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-wildcard-resources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Wildcards in Resources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole, Role, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Wildcards (&#39;*&#39;) in resources grants access to all of the resources referenced by </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the given API group and does not follow the principal of least privilege. As much as possible, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> avoid such open resources unless scoped to perhaps a custom API group. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy blocks any Role or ClusterRole that contains a wildcard entry in </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> the resources list found in any rule.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">wildcard-resources</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of a wildcard (&#39;*&#39;) in any resources is forbidden.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ contains(request.object.rules[].resources[], &#39;*&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-wildcard-resources/restrict-wildcard-resources/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-wildcard-resources/restrict-wildcard-resources/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml" target="-blank">/other-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-wildcard-resources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restrict Wildcards in Resources in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Security, EKS Best Practices in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole, Role, RBAC</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Wildcards (&#39;*&#39;) in resources grants access to all of the resources referenced by </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the given API group and does not follow the principal of least privilege. As much as possible, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> avoid such open resources unless scoped to perhaps a custom API group. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy blocks any Role or ClusterRole that contains a wildcard entry in </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> the resources list found in any rule.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">wildcard-resources</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.rules == null || !object.rules.exists(rule, &#39;*&#39; in rule.resources)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Use of a wildcard (&#39;*&#39;) in any resources is forbidden.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/subrule/restricted/restricted-latest/restricted-latest/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/subrule/restricted/restricted-latest/restricted-latest/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/subrule/restricted/restricted-latest/restricted-latest.yaml" target="-blank">/pod-security/subrule/restricted/restricted-latest/restricted-latest.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">podsecurity-subrule-restricted</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restricted Pod Security Standards</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The restricted profile of the Pod Security Standards, which is inclusive of </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the baseline profile, is a collection of all the most common configurations </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> may be assigned to the cluster through a single rule. This policy configures the </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> restricted profile through the latest version of the Pod Security Standards cluster wide.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">podSecurity</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="l">latest</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities.yaml" target="-blank">/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">podsecurity-subrule-restricted-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restricted Pod Security Standards with Container-Level Control Exemption</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The restricted profile of the Pod Security Standards, which is inclusive of </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the baseline profile, is a collection of all the most common configurations </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> may be assigned to the cluster through a single rule. In some cases, specific exemptions </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> must be made on a per-control basis. This policy configures the </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> restricted profile through the latest version of the Pod Security Standards cluster wide while </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> exempting `nginx` and `redis` container images from the Capabilities control check.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restricted-exempt-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">podSecurity</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="l">latest</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">controlName</span><span class="p">:</span><span class="w"> </span><span class="l">Capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">images</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="l">ghcr.io/kyverno/test-nginx*</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="l">redis*</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/pod-security/subrule/restricted/restricted-exclude-seccomp/restricted-exclude-seccomp/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/pod-security/subrule/restricted/restricted-exclude-seccomp/restricted-exclude-seccomp/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//pod-security/subrule/restricted/restricted-exclude-seccomp/restricted-exclude-seccomp.yaml" target="-blank">/pod-security/subrule/restricted/restricted-exclude-seccomp/restricted-exclude-seccomp.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">podsecurity-subrule-restricted-seccomp</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Restricted Pod Security Standards with Spec and Container-Level Control Exemption</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Pod Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> The restricted profile of the Pod Security Standards, which is inclusive of </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the baseline profile, is a collection of all the most common configurations </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> may be assigned to the cluster through a single rule. In some cases, specific exemptions </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> must be made on a per-control basis. This policy configures the </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> restricted profile through the latest version of the Pod Security Standards cluster wide while </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> completely exempting Seccomp control check.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restricted-exempt-seccomp</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">podSecurity</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="l">latest</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">controlName</span><span class="p">:</span><span class="w"> </span><span class="l">Seccomp</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">controlName</span><span class="p">:</span><span class="w"> </span><span class="l">Seccomp</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">images</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="s1">&#39;*&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/scale-deployment-zero/scale-deployment-zero/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/scale-deployment-zero/scale-deployment-zero/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/scale-deployment-zero/scale-deployment-zero.yaml" target="-blank">/other/scale-deployment-zero/scale-deployment-zero.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">scale-deployment-zero</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Scale Deployment to Zero</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> If a Deployment&#39;s Pods are seen crashing multiple times it usually indicates </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> there is an issue that must be manually resolved. Removing the failing Pods and </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> marking the Deployment is often a useful troubleshooting step. This policy watches </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> existing Pods and if any are observed to have restarted more than </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> once, indicating a potential crashloop, Kyverno scales its parent deployment to zero </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> and writes an annotation signaling to an SRE team that troubleshooting is needed. </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> It may be necessary to grant additional privileges to the Kyverno ServiceAccount, </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="sd"> via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments. </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="sd"> This policy scales down deployments with frequently restarting pods by monitoring `Pod.status` </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="sd"> for `restartCount`updates, which are performed by the kubelet. No `resourceFilter` modifications </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="sd"> are needed if matching on `Pod`and `Pod.status`. </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="sd"> Note: For this policy to work, you must modify Kyverno&#39;s ConfigMap to remove or change the line </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="sd"> `excludeGroups: system:nodes` since version 1.10.</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">annotate-deployment-rule</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="l">v1/Pod.status</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ sum(request.object.status.containerStatuses[*].restartCount || [`0`]) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">rsname</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.metadata.ownerReferences[0].name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deploymentname</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/apps/v1/namespaces/{{request.namespace}}/replicasets&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?metadata.name==&#39;{{rsname}}&#39;].metadata.ownerReferences[0].name | [0]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">apps/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{deploymentname}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">sre.corp.org/troubleshooting-needed</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio/service-mesh-disallow-capabilities/service-mesh-disallow-capabilities/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio/service-mesh-disallow-capabilities/service-mesh-disallow-capabilities/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio/service-mesh-disallow-capabilities/service-mesh-disallow-capabilities.yaml" target="-blank">/istio/service-mesh-disallow-capabilities/service-mesh-disallow-capabilities.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">service-mesh-disallow-capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Service Mesh Disallow Capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio, Linkerd, Pod Security Standards (Baseline)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.3</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.28&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy is a variation of the disallow-capabilities policy that is a part of the </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pod Security Standards (Baseline) category. It enforces the same control but with </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> provisions for common service mesh initContainers from Istio and Linkerd which need </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the additional capabilities, NET_ADMIN and NET_RAW. For more information and context, </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">adding-capabilities-istio-linkerd</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">capabilities</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;AUDIT_WRITE&#34;</span><span class="p">,</span><span class="s2">&#34;CHOWN&#34;</span><span class="p">,</span><span class="s2">&#34;DAC_OVERRIDE&#34;</span><span class="p">,</span><span class="s2">&#34;FOWNER&#34;</span><span class="p">,</span><span class="s2">&#34;FSETID&#34;</span><span class="p">,</span><span class="s2">&#34;KILL&#34;</span><span class="p">,</span><span class="s2">&#34;MKNOD&#34;</span><span class="p">,</span><span class="s2">&#34;NET_BIND_SERVICE&#34;</span><span class="p">,</span><span class="s2">&#34;SETFCAP&#34;</span><span class="p">,</span><span class="s2">&#34;SETGID&#34;</span><span class="p">,</span><span class="s2">&#34;SETPCAP&#34;</span><span class="p">,</span><span class="s2">&#34;SETUID&#34;</span><span class="p">,</span><span class="s2">&#34;SYS_CHROOT&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> are disallowed. Service mesh initContainers may additionally add NET_ADMIN and NET_RAW.</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.initContainers[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*/istio/proxyv2*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*/linkerd/proxy-init*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.securityContext.capabilities.add[] || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="l">NET_ADMIN</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="l">NET_RAW</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{ capabilities }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.securityContext.capabilities.add[] || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ capabilities }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The service mesh initContainer {{ element.name }} is attempting to add forbidden capabilities.</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.initContainers[]</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.image }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*/istio/proxyv2*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*/linkerd/proxy-init*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.securityContext.capabilities.add[] || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ capabilities }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The initContainer {{ element.name }} is attempting to add forbidden capabilities.</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.[ephemeralContainers, containers][]</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">83</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.securityContext.capabilities.add[] || `[]` }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">84</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">85</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ capabilities }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">86</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The container {{ element.name }} is attempting to add forbidden capabilities.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/istio/service-mesh-require-run-as-nonroot/service-mesh-require-run-as-nonroot/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/istio/service-mesh-require-run-as-nonroot/service-mesh-require-run-as-nonroot/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//istio/service-mesh-require-run-as-nonroot/service-mesh-require-run-as-nonroot.yaml" target="-blank">/istio/service-mesh-require-run-as-nonroot/service-mesh-require-run-as-nonroot.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">service-mesh-require-run-as-nonroot</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Service Mesh Require runAsNonRoot</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Istio, Pod Security Standards (Restricted)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.3</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.28&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> This policy is a variation of the Require runAsNonRoot policy that is a part of the </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Pod Security Standards (Restricted) category. It enforces the same control but with </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> provisions for Istio&#39;s initContainer. For more information and context, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">run-as-non-root-istio</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="sd"> Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> must be set to `true`. </span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">anyPattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsNonRoot)</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">(image)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!*istio/proxyv2*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsNonRoot)</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">=(securityContext)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">=(runAsNonRoot)</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">=(ephemeralContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">=(initContainers)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="nt">(image)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;!*istio/proxyv2*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-minimum-retention/kasten-minimum-retention/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-minimum-retention/kasten-minimum-retention/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kasten/kasten-minimum-retention/kasten-minimum-retention.yaml" target="-blank">/kasten/kasten-minimum-retention/kasten-minimum-retention.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-minimum-retention</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Set Kasten Policy Minimum Backup Retention</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Veeam Kasten</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24-1.30&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Example Kyverno policy to enforce common compliance retention standards by modifying Kasten Policy backup retention settings. Based on regulation/compliance standard requirements, uncomment (1) of the desired GFS retention schedules to mutate existing and future Kasten Policies. Alternatively, this policy can be used to reduce retention lengths to enforce cost optimization. NOTE: This example only applies to Kasten Policies with an &#39;@hourly&#39; frequency. Refer to Kasten documentation for Policy API specification if modifications are necessary: https://docs.kasten.io/latest/api/policies.html#policy-api-type</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-minimum-retention</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="l">config.kio.kasten.io/v1alpha1/Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="c"># Match only @hourly policies that do not use policy presets, as the</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="c"># number of retained artifacts can only be specified for frequencies</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="c"># of the same or lower granularity than the policy frequency. For example,</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="c"># if the policy frequency is &#39;@daily&#39;, then retention can have values for</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="c"># &#39;daily&#39;, &#39;weekly&#39;, &#39;monthly&#39; and &#39;yearly&#39;, but not for &#39;hourly&#39;.</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="c"># If the policy frequency is &#39;hourly&#39;, then all retention values are</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="c"># allowed. If the policy frequency is &#39;@onDemand&#39; or policy preset is used</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="c"># then retention values are not allowed.</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.frequency || &#39;&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;@hourly&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="c"># Federal Information Security Management Act (FISMA): 3 Years </span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="c">#patchesJson6902: |-</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="c"># - path: &#34;/spec/retention&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="c"># op: replace</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="c"># value: {&#34;hourly&#34;:24,&#34;daily&#34;:30,&#34;weekly&#34;:4,&#34;monthly&#34;:12,&#34;yearly&#34;:3}</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="c"># Health Insurance Portability and Accountability Act (HIPAA): 6 Years </span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="c">#patchesJson6902: |-</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="c"># - path: &#34;/spec/retention&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="c"># op: replace</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="c"># value: {&#34;hourly&#34;:24,&#34;daily&#34;:30,&#34;weekly&#34;:4,&#34;monthly&#34;:12,&#34;yearly&#34;:6}</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="c"># National Energy Commission (NERC): 3 to 6 Years </span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="c">#patchesJson6902: |-</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="c"># - path: &#34;/spec/retention&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="c"># op: replace</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="c"># value: {&#34;hourly&#34;:24,&#34;daily&#34;:30,&#34;weekly&#34;:4,&#34;monthly&#34;:12,&#34;yearly&#34;:3}</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="c"># Basel II Capital Accord: 3 to 7 Years </span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="c">#patchesJson6902: |-</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="c"># - path: &#34;/spec/retention&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="c"># op: replace</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="c"># value: {&#34;hourly&#34;:24,&#34;daily&#34;:30,&#34;weekly&#34;:4,&#34;monthly&#34;:12,&#34;yearly&#34;:3}</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="c"># Sarbanes-Oxley Act of 2002 (SOX): 7 Years</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="c">#patchesJson6902: |-</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="c"># - path: &#34;/spec/retention&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="c"># op: replace</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="c"># value: {&#34;hourly&#34;:24,&#34;daily&#34;:30,&#34;weekly&#34;:4,&#34;monthly&#34;:12,&#34;yearly&#34;:7}</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="c"># National Industrial Security Program Operating Manual (NISPOM): 6 to 12 Months </span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="c">#patchesJson6902: |-</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="c"># - path: &#34;/spec/retention&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="c"># op: replace</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="c"># value: {&#34;hourly&#34;:24,&#34;daily&#34;:30,&#34;weekly&#34;:4,&#34;monthly&#34;:6}</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="c"># Cost Optimization (Maximum Retention: 3 Months)</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">patchesJson6902</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="sd"> - path: &#34;/spec/retention&#34; </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="sd"> op: replace </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="sd"> value: </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="sd"> hourly: 24 </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="sd"> daily: 30 </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="sd"> weekly: 4 </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="sd"> monthly: 3</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml" target="-blank">/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">set-karpenter-non-cpu-limits</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Set non-CPU limits for pods to work well with Karpenter.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Karpenter, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.3</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> For correct node provisioning Karpenter should know exactly what the non-CPU resources are </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> that the pods will need. Otherwise Karpenter will put as many pods on a node as possible, </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> which may lead to memory pressure on nodes. This is especially important in consolidation </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> mode.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">set-ephemeral-storage</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">+(ephemeral-storage)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.resources.limits.\&#34;ephemeral-storage\&#34; || element.resources.requests.\&#34;ephemeral-storage\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">ephemeral-storage</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.resources.limits.\&#34;ephemeral-storage\&#34; || element.resources.requests.\&#34;ephemeral-storage\&#34;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">set-memory</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.containers</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">+(memory)</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.resources.limits.memory || element.resources.requests.memory}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{element.resources.limits.memory || element.resources.requests.memory}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/spread-pods-across-topology/spread-pods-across-topology/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/spread-pods-across-topology/spread-pods-across-topology/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/spread-pods-across-topology/spread-pods-across-topology.yaml" target="-blank">/other/spread-pods-across-topology/spread-pods-across-topology.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">spread-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Spread Pods Across Nodes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Deployments to a Kubernetes cluster with multiple availability zones often need to </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> distribute those replicas to align with those zones to ensure site-level failures </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> do not impact availability. This policy matches Deployments with the label </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> `distributed=required` and mutates them to spread Pods across zones.</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">spread-pods-across-nodes</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="c"># Matches any Deployment with the label `distributed=required`</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">distributed</span><span class="p">:</span><span class="w"> </span><span class="l">required</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="c"># Mutates the incoming Deployment.</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="c"># Adds the topologySpreadConstraints field if non-existent in the request.</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">+(topologySpreadConstraints)</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">maxSkew</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">topologyKey</span><span class="p">:</span><span class="w"> </span><span class="l">zone</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">whenUnsatisfiable</span><span class="p">:</span><span class="w"> </span><span class="l">DoNotSchedule</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">labelSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">distributed</span><span class="p">:</span><span class="w"> </span><span class="l">required</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/topologyspreadconstraints-policy/topologyspreadconstraints-policy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/topologyspreadconstraints-policy/topologyspreadconstraints-policy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml" target="-blank">/other/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">topologyspreadconstraints-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Spread Pods Across Nodes &amp; Zones</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.22-1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Deployments to a Kubernetes cluster with multiple availability zones often need to </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> distribute those replicas to align with those zones to ensure site-level failures </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> do not impact availability. This policy ensures topologySpreadConstraints are defined, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> to spread pods over nodes and zones. Deployments or Statefulsets with leass than 3 </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> replicas are skipped.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">failurePolicy</span><span class="p">:</span><span class="w"> </span><span class="l">Ignore</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">spread-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.replicas }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThanOrEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">3</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;topologySpreadConstraint for kubernetes.io/hostname &amp; topology.kubernetes.io/zone are required&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.spec.template.spec.topologySpreadConstraints[?topologyKey==&#39;kubernetes.io/hostname&#39; || topologyKey==&#39;topology.kubernetes.io/zone&#39;] || `[]` | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">2</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/topologyspreadconstraints-policy/topologyspreadconstraints-policy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/topologyspreadconstraints-policy/topologyspreadconstraints-policy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml" target="-blank">/other-cel/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">topologyspreadconstraints-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Spread Pods Across Nodes &amp; Zones in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Deployments to a Kubernetes cluster with multiple availability zones often need to </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> distribute those replicas to align with those zones to ensure site-level failures </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> do not impact availability. This policy ensures topologySpreadConstraints are defined, </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> to spread pods over nodes and zones. Deployments or Statefulsets with less than 3 </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> replicas are skipped.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment, StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">failurePolicy</span><span class="p">:</span><span class="w"> </span><span class="l">Ignore</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">spread-pods</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">celPreconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;replicas-must-be-3-or-more&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.replicas &gt;= 3&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> size(object.spec.template.spec.?topologySpreadConstraints.orValue([]).filter(t, t.topologyKey == &#39;kubernetes.io/hostname&#39; || t.topologyKey == &#39;topology.kubernetes.io/zone&#39;)) == 2</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;topologySpreadConstraint for kubernetes.io/hostname &amp; topology.kubernetes.io/zone are required&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/sync-secrets/sync-secrets/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/sync-secrets/sync-secrets/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/sync-secrets/sync-secrets.yaml" target="-blank">/other/sync-secrets/sync-secrets.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">sync-secrets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Sync Secrets</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> Secrets like registry credentials often need to exist in multiple </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Namespaces so Pods there have access. Manually duplicating those Secrets </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> is time consuming and error prone. This policy will copy a </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Secret called `regcred` which exists in the `default` Namespace to </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> new Namespaces when they are created. It will also push updates to </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the copied Secrets should the source Secret be changed. </span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">sync-image-pull-secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">generate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">regcred</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">synchronize</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">clone</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">regcred</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/time-bound-policy/time-bound-policy/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/time-bound-policy/time-bound-policy/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/time-bound-policy/time-bound-policy.yaml" target="-blank">/other/time-bound-policy/time-bound-policy.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v2beta1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">time-bound-policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Time-Bound Policy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Sometimes a policy should be active or inactive based on a time window </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> determined as part of the policy. Whether the policy should come into play </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> should be dependent on that time. This policy illustrates how to time-bound </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> any policy by using preconditions with JMESPath time filters. In this case, </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> the policy enforces that label `foo` be required on all ConfigMaps during </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> the hours of 8am-5pm EST (expressed in UTC). Additional, similar preconditions </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> may be added to perform other time checks, for example a range of days.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-foo-on-configmaps</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="c"># Get the hour of the current time</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ time_now_utc().time_to_cron(@).split(@,&#39; &#39;) | [1].to_number(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="c"># Only operate during business hours, 8am-5pm EST, in UTC</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">13-22</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The foo label must be set.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">foo</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;?*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-ingress-host/restrict-ingress-host/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-ingress-host/restrict-ingress-host/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-ingress-host/restrict-ingress-host.yaml" target="-blank">/other/restrict-ingress-host/restrict-ingress-host.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">unique-ingress-host</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Unique Ingress Host</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> An Ingress host is a URL at which services may be made available externally. In most cases, </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> these hosts should be unique across the cluster to ensure no routing conflicts occur. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> It also ensures that only a single host may be specified in a given manifest. </span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-single-host-create</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">hosts</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/networking.k8s.io/v1/ingresses&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[].spec.rules[].host&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The Ingress host name must be unique.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.rules[].host }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ hosts }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-single-host-update</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allhosts</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/networking.k8s.io/v1/ingresses&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[?metadata.uid!=&#39;{{ request.object.metadata.uid }}&#39;].spec.rules[].host&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The Ingress host name must be unique.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.rules[].host }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ allhosts }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-multiple-hosts</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.rules[].host | length(@)}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">83</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">84</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">85</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;An Ingress resource may only contain a single host entry.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">86</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/unique-ingress-host-and-path/unique-ingress-host-and-path/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/unique-ingress-host-and-path/unique-ingress-host-and-path/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/unique-ingress-host-and-path/unique-ingress-host-and-path.yaml" target="-blank">/other/unique-ingress-host-and-path/unique-ingress-host-and-path.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">unique-ingress-host-and-path</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Unique Ingress Host and Path</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Similar to the ability to check the uniqueness of hosts and paths independently, </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> it is possible to check for uniqueness of them both together across a cluster. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy ensures that no Ingress can be created or updated unless it is </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> globally unique with respect to host plus path combination.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-host-path-combo</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.operation || &#39;BACKGROUND&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotEquals</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">rules</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/networking.k8s.io/v1/ingresses&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[].spec.rules[]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The Ingress host and path combination must be unique across the cluster.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">foreach</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">list</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;request.object.spec.rules[]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ element.http.paths[].path }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ rules[?host==&#39;{{element.host}}&#39;][].http.paths[].path }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/unique-ingress-paths/unique-ingress-paths/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/unique-ingress-paths/unique-ingress-paths/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/unique-ingress-paths/unique-ingress-paths.yaml" target="-blank">/other/unique-ingress-paths/unique-ingress-paths.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">unique-ingress-path</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Unique Ingress Path</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Just like the need to ensure uniqueness among Ingress hosts, there is a need to have the paths </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> be unique as well. This policy checks an incoming Ingress to ensure its root path does not conflict with another </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> root path in a different Namespace. It requires that incoming Ingress resources have a single </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> rule with a single path only and assumes the root path is specified explicitly in an </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> existing Ingress rule (ex., when blocking /foo/bar /foo must exist by itself and not part of </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> /foo/baz).</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-path</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="c"># Looks up the Ingress paths across the whole cluster.</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allpaths</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/networking.k8s.io/v1/ingresses&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[].spec.rules[].http.paths[].path&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="c"># Looks up the Ingress paths in the same Namespace where the incoming request is targeted.</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">nspath</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/networking.k8s.io/v1/namespaces/{{request.object.metadata.namespace}}/ingresses&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[].spec.rules[].http.paths[].path&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.operation || &#39;BACKGROUND&#39;}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="sd"> The root path /{{request.object.spec.rules[].http.paths[].path | [0] | to_string(@) | split(@, &#39;/&#39;) | [1]}} exists </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="sd"> in another Ingress rule elsewhere in the cluster.</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="c"># Deny if the root path of the request exists somewhere else in the cluster other than the same Namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">/{{request.object.spec.rules[].http.paths[].path | [0] | to_string(@) | split(@, &#39;/&#39;) | [1]}}</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{allpaths}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">/{{request.object.spec.rules[].http.paths[].path | [0] | to_string(@) | split(@, &#39;/&#39;) | [1]}}</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{nspath}}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/update-image-tag/update-image-tag/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/update-image-tag/update-image-tag/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/update-image-tag/update-image-tag.yaml" target="-blank">/other/update-image-tag/update-image-tag.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">update-image-tag</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Update Image Tag</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> For use cases like sidecar injection, it is often the case where existing </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Deployments need the sidecar image updated without destroying the whole Deployment </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> or Pods. This policy updates the image tag on containers named vault-agent for </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> existing Deployments which have the annotation vault.hashicorp.com/agent-inject=&#34;true&#34;. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> It may be necessary to grant additional privileges to the Kyverno ServiceAccount, </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">mutateExistingOnPolicyUpdate</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">update-image-tag-rule</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">vault.hashicorp.com/agent-inject</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">mutate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">apps/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.metadata.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">patchStrategicMerge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">(name)</span><span class="p">:</span><span class="w"> </span><span class="l">vault-agent</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">vault:1.5.4</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml" target="-blank">/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="c">#NOTE: This example assumes that K10 policy presets named &#34;gold&#34;, &#34;silver&#34;, and &#34;bronze&#34; have been pre-created and K10 was deployed into the `kasten-io` namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k10-validate-ns-by-preset-label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Validate Data Protection by Preset Label in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Kasten K10 by Veeam in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Kubernetes applications are typically deployed into a single, logical namespace. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Kasten K10 policies will discover and protect all resources within the selected namespace(s). </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy ensures all new namespaces include a label referencing a valid K10 SLA </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> (Policy Preset) for data protection.This policy can be used in combination with generate </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> ClusterPolicy to automatically create a K10 policy based on the specified SLA. </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> The combination ensures that new applications are not inadvertently left unprotected.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k10-validate-ns-by-preset-label</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.metadata.?labels.?dataprotection.orValue(&#39;&#39;) in [&#39;gold&#39;, &#39;silver&#39;, &#39;bronze&#39;, &#39;none&#39;]&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> Namespaces must specify a &#34;dataprotection&#34; label with a value corresponding to a Kasten K10 SLA: </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> &#34;gold&#34; - &lt;Insert human readable settings of each preset option&gt; </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> &#34;silver&#34; - &lt;For example, hourly backups, exported to immutable S3 storage&gt; </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> &#34;bronze&#34; - &lt;Or, daily local snapshots, NOT exported to external storage&gt; </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="sd"> &#34;none&#34; - No local snapshots or backups</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/kasten/kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//kasten/kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label.yaml" target="-blank">/kasten/kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="c">#NOTE: This example assumes that Kasten policy presets named &#34;gold&#34;, &#34;silver&#34;, and &#34;bronze&#34; have been pre-created and Kasten was deployed into the `kasten-io` namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-validate-ns-by-preset-label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Validate Data Protection with Kasten Preset Label</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Veeam Kasten</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.12.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24-1.30&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Kubernetes applications are typically deployed into a single, logical namespace. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Veeam Kasten policies will discover and protect all resources within the selected namespace(s). </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> This policy ensures all new namespaces include a label referencing a valid Kasten SLA </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> (Policy Preset) for data protection.This policy can be used in combination with /Users/the `kasten-generate-policy-by-preset-label` ClusterPolicy to automatically create a Kasten policy based on the specified SLA. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> The combination ensures that new applications are not inadvertently left unprotected.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kasten-validate-ns-by-preset-label</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="sd"> Namespaces must specify a &#34;dataprotection&#34; label with a value corresponding to a Kasten Policy Preset: </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="sd"> &#34;gold&#34; - &lt;Insert human readable settings of each preset option&gt; </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> &#34;silver&#34; - &lt;For example, hourly backups, exported to immutable S3 storage&gt; </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="sd"> &#34;bronze&#34; - &lt;Or, daily local snapshots, NOT exported to external storage&gt; </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="sd"> &#34;none&#34; - No local snapshots or backups</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">dataprotection</span><span class="p">:</span><span class="w"> </span><span class="l">gold|silver|bronze|none</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/ensure-probes-different/ensure-probes-different/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/ensure-probes-different/ensure-probes-different/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/ensure-probes-different/ensure-probes-different.yaml" target="-blank">/other/ensure-probes-different/ensure-probes-different.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-probes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Validate Probes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Liveness and readiness probes accomplish different goals, and setting both to the same </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> is an anti-pattern and often results in app problems in the future. This policy </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> checks that liveness and readiness probes are not equal. Keep in mind that if both the </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> probes are not set, they are considered to be equal and hence fails the check.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-probes</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Liveness and readiness probes cannot be the same.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.template.spec.containers[?readinessProbe==livenessProbe] | length(@) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">GreaterThan</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/ensure-probes-different/ensure-probes-different/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/ensure-probes-different/ensure-probes-different/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/ensure-probes-different/ensure-probes-different.yaml" target="-blank">/other-cel/ensure-probes-different/ensure-probes-different.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-probes</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">pod-policies.kyverno.io/autogen-controllers</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Validate Probes in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Liveness and readiness probes accomplish different goals, and setting both to the same </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> is an anti-pattern and often results in app problems in the future. This policy </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> checks that liveness and readiness probes are not equal. Keep in mind that if both the </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> probes are not set, they are considered to be equal and hence fails the check.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-probes</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> !object.spec.template.spec.containers.exists(container, </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> has(container.readinessProbe) &amp;&amp; has(container.livenessProbe) &amp;&amp; </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> container.readinessProbe == container.livenessProbe)</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Liveness and readiness probes cannot be the same.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/velero/validate-cron-schedule/validate-cron-schedule/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/velero/validate-cron-schedule/validate-cron-schedule/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//velero/validate-cron-schedule/validate-cron-schedule.yaml" target="-blank">/velero/validate-cron-schedule/validate-cron-schedule.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-cron-schedule</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Validate Schedule</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Velero</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Schedule</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="sd"> A Velero Schedule is given in Cron format and must be accurate to ensure </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="sd"> operation. This policy validates that the schedule is a valid Cron format.</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-cron</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="l">velero.io/v1/Schedule</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The backup schedule must be in a valid cron format.</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ regex_match(&#39;^((?:\\*|[0-5]?[0-9](?:(?:-[0-5]?[0-9])|(?:,[0-5]?[0-9])+)?)(?:\\/[0-9]+)?)\\s+((?:\\*|(?:1?[0-9]|2[0-3])(?:(?:-(?:1?[0-9]|2[0-3]))|(?:,(?:1?[0-9]|2[0-3]))+)?)(?:\\/[0-9]+)?)\\s+((?:\\*|(?:[1-9]|[1-2][0-9]|3[0-1])(?:(?:-(?:[1-9]|[1-2][0-9]|3[0-1]))|(?:,(?:[1-9]|[1-2][0-9]|3[0-1]))+)?)(?:\\/[0-9]+)?)\\s+((?:\\*|(?:[1-9]|1[0-2])(?:(?:-(?:[1-9]|1[0-2]))|(?:,(?:[1-9]|1[0-2]))+)?)(?:\\/[0-9]+)?)\\s+((?:\\*|[0-7](?:-[0-7]|(?:,[0-7])+)?)(?:\\/[0-9]+)?)$&#39;, &#39;{{request.object.spec.schedule}}&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/velero-cel/validate-cron-schedule/validate-cron-schedule/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/velero-cel/validate-cron-schedule/validate-cron-schedule/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//velero-cel/validate-cron-schedule/validate-cron-schedule.yaml" target="-blank">/velero-cel/validate-cron-schedule/validate-cron-schedule.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-cron-schedule</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Validate Schedule in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Velero in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Schedule</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> A Velero Schedule is given in Cron format and must be accurate to ensure </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> operation. This policy validates that the schedule is a valid Cron format.</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-cron</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="l">velero.io/v1/Schedule</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="sd"> object.spec.schedule.matches(&#39;^((?:\\*|[0-5]?[0-9](?:(?:-[0-5]?[0-9])|(?:,[0-5]?[0-9])+)?)(?:\\/[0-9]+)?)\\s+((?:\\*|(?:1?[0-9]|2[0-3])(?:(?:-(?:1?[0-9]|2[0-3]))|(?:,(?:1?[0-9]|2[0-3]))+)?)(?:\\/[0-9]+)?)\\s+((?:\\*|(?:[1-9]|[1-2][0-9]|3[0-1])(?:(?:-(?:[1-9]|[1-2][0-9]|3[0-1]))|(?:,(?:[1-9]|[1-2][0-9]|3[0-1]))+)?)(?:\\/[0-9]+)?)\\s+((?:\\*|(?:[1-9]|1[0-2])(?:(?:-(?:[1-9]|1[0-2]))|(?:,(?:[1-9]|1[0-2]))+)?)(?:\\/[0-9]+)?)\\s+((?:\\*|[0-7](?:-[0-7]|(?:,[0-7])+)?)(?:\\/[0-9]+)?)$&#39;)</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The backup schedule must be in a valid cron format.</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/openshift/team-validate-ns-name/team-validate-ns-name/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/openshift/team-validate-ns-name/team-validate-ns-name/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//openshift/team-validate-ns-name/team-validate-ns-name.yaml" target="-blank">/openshift/team-validate-ns-name/team-validate-ns-name.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">team-validate-ns-name</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Validate Team Namespace Schema</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">OpenShift</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Naming patterns are commonplace in clusters where creation activities </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> are granted to other users. In order to maintain organization, it is often </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> such that patterns should be established for organizational consistency. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy denies the creation of a Namespace if the name of the Namespace does </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> not follow a specific naming defined by the cluster admins.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">team-validate-ns-name</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">ProjectRequest</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">Project</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="c"># subjects:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="c"># - kind: Group</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="c"># name: &#34;system:authenticated&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">The only names approved for your Namespaces are the ones starting by {{request.userInfo.groups[?contains(@,&#39;:&#39;) == `false`]}}-*</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{request.object.metadata.name}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.userInfo.groups[?contains(@,&#39;:&#39;) == `false`][].join(&#39;-&#39;, [@, &#39;*&#39;]) }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml" target="-blank">/other/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-userid-groupid-fsgroup</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Validate User ID, Group ID, and FS Group</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> All processes inside a Pod can be made to run with specific user and groupID </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> to make sure any file created in the volume will have the specified groupID. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> This policy validates that these fields are set to the defined values.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-userid</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;User ID should be 1000.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">runAsUser</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;1000&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-groupid</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Group ID should be 3000.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;3000&#39;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-fsgroup</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;fsgroup should be 2000.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">fsGroup</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;2000&#39;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml" target="-blank">/other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-userid-groupid-fsgroup</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Validate User ID, Group ID, and FS Group in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Sample in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> All processes inside a Pod can be made to run with specific user and groupID </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> to make sure any file created in the volume will have the specified groupID. </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> This policy validates that these fields are set to the defined values.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">validate-userid-groupid-fsgroup</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?securityContext.?runAsUser.orValue(1) == 1000&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;User ID should be 1000.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?securityContext.?runAsGroup.orValue(1) == 3000&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Group ID should be 3000.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?securityContext.?fsGroup.orValue(1) == 2000&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;fs Group should be 2000.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/verify-sbom-cyclonedx/verify-sbom-cyclonedx/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/verify-sbom-cyclonedx/verify-sbom-cyclonedx/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/verify-sbom-cyclonedx/verify-sbom-cyclonedx.yaml" target="-blank">/other/verify-sbom-cyclonedx/verify-sbom-cyclonedx.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-sbom-cyclonedx</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify CycloneDX SBOM (Keyless)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Software Supply Chain Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.3</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Software Bill of Materials (SBOM) provide details on the composition of a given </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> container image and may be represented in a couple different standards. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> Having an SBOM can be important to ensuring images are built using verified </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> processes. This policy verifies that an image has an SBOM in CycloneDX format </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> and was signed by the expected subject and issuer when produced through GitHub Actions </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> and using Cosign&#39;s keyless signing. It requires configuration based upon your own values.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">webhookTimeoutSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-sbom</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">verifyImages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">imageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;myreg.org/path/repo:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">attestations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">predicateType</span><span class="p">:</span><span class="w"> </span><span class="l">https://cyclonedx.org/schema</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">keyless</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">subject</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;mysubject&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">issuer</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://token.actions.githubusercontent.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">rekor</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l">https://rekor.sigstore.dev</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ Data.bomFormat }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">CycloneDX</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/flux/verify-flux-images/verify-flux-images/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/flux/verify-flux-images/verify-flux-images/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//flux/verify-flux-images/verify-flux-images.yaml" target="-blank">/flux/verify-flux-images/verify-flux-images.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-flux-images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify Flux Images</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Flux</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Ensures that container images used to run Flux controllers in the cluster </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> are signed with valid Cosign signatures. Prevents the deployment of untrusted </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> or potentially compromised Flux images. Protects the integrity and security </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> of the Flux deployment process.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-cosign-signature</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">verifyImages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">imageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;ghcr.io/fluxcd/source-controller:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;ghcr.io/fluxcd/kustomize-controller:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;ghcr.io/fluxcd/helm-controller:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;ghcr.io/fluxcd/notification-controller:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;ghcr.io/fluxcd/image-reflector-controller:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;ghcr.io/fluxcd/image-automation-controller:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;docker.io/fluxcd/source-controller:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;docker.io/fluxcd/kustomize-controller:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;docker.io/fluxcd/helm-controller:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;docker.io/fluxcd/notification-controller:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;docker.io/fluxcd/image-reflector-controller:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;docker.io/fluxcd/image-automation-controller:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">mutateDigest</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">verifyDigest</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="nt">keyless</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">subject</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://github.com/fluxcd/*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">issuer</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://token.actions.githubusercontent.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">rekor</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l">https://rekor.sigstore.dev</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/flux/verify-flux-sources/verify-flux-sources/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/flux/verify-flux-sources/verify-flux-sources/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//flux/verify-flux-sources/verify-flux-sources.yaml" target="-blank">/flux/verify-flux-sources/verify-flux-sources.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-flux-sources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify Flux Sources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Flux</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.6.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">GitRepository, Bucket, HelmRepository, ImageRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Flux source APIs include a number of different sources such as </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> GitRepository, Bucket, HelmRepository, and ImageRepository resources. Each of these </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> by default can be pointed to any location. In a production environment, </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> it may be desired to restrict these to only known sources to prevent </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> accessing outside sources. This policy verifies that each of the Flux </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> sources comes from a trusted location.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">flux-github-repositories</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;.spec.url must be from a repository within the myorg organization.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://github.com/myorg/?* | ssh://git@github.com:myorg/?*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">flux-buckets</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">Bucket</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;.spec.endpoint must reference an address within the myorg organization.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">endpoint</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*.myorg.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">flux-helm-repositories</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span>- <span class="l">HelmRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span>- <span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;.spec.url must be from a repository within the myorg organization.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://?*.myorg.com/*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">flux-image-repositories</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span>- <span class="l">ImageRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span>- <span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">83</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;.spec.image must be from an image repository within the myorg organization.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">84</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">85</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">86</span><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ghcr.io/myorg/*&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/flux-cel/verify-flux-sources/verify-flux-sources/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/flux-cel/verify-flux-sources/verify-flux-sources/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//flux-cel/verify-flux-sources/verify-flux-sources.yaml" target="-blank">/flux-cel/verify-flux-sources/verify-flux-sources.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-flux-sources</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify Flux Sources in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Flux in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">GitRepository, Bucket, HelmRepository, ImageRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Flux source APIs include a number of different sources such as </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> GitRepository, Bucket, HelmRepository, and ImageRepository resources. Each of these </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> by default can be pointed to any location. In a production environment, </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> it may be desired to restrict these to only known sources to prevent </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> accessing outside sources. This policy verifies that each of the Flux </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> sources comes from a trusted location.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">flux-github-repositories</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.url.startsWith(&#39;https://github.com/myorg/&#39;) || object.spec.url.startsWith(&#39;ssh://git@github.com:myorg/&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;.spec.url must be from a repository within the myorg organization.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">flux-buckets</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="l">Bucket</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span>- <span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?endpoint.orValue(&#39;&#39;).endsWith(&#39;.myorg.com&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;.spec.endpoint must reference an address within the myorg organization.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">flux-helm-repositories</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span>- <span class="l">HelmRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span>- <span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.url.matches(&#39;^https://[a-zA-Z0-9-]+[.]myorg[.]com/.*$&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;.spec.url must be from a repository within the myorg organization.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">flux-image-repositories</span><span class="w"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">83</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">84</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">85</span><span class="cl"><span class="w"> </span>- <span class="l">ImageRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">86</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">87</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">88</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">89</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">90</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">91</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">92</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">93</span><span class="cl"><span class="w"> </span>- <span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">94</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">95</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">96</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">97</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.?image.orValue(&#39;&#39;).startsWith(&#39;ghcr.io/myorg/&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">98</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;.spec.image must be from an image repository within the myorg organization.&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/flux/verify-git-repositories/verify-git-repositories/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/flux/verify-git-repositories/verify-git-repositories/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//flux/verify-git-repositories/verify-git-repositories.yaml" target="-blank">/flux/verify-git-repositories/verify-git-repositories.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-git-repositories</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify Git Repositories</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Flux</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Ensures that Git repositories used for Flux deployments </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> in a cluster originate from a specific, trusted organization. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Prevents the use of untrusted or potentially risky Git repositories. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Protects the integrity and security of Flux deployments.</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">github-repositories-only</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="l">GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">.spec.url must be from a repository within the organisation X</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l">https://github.com/fluxcd/?* | ssh://git@github.com:fluxcd/?*</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/flux-cel/verify-git-repositories/verify-git-repositories/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/flux-cel/verify-git-repositories/verify-git-repositories/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//flux-cel/verify-git-repositories/verify-git-repositories.yaml" target="-blank">/flux-cel/verify-git-repositories/verify-git-repositories.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-git-repositories</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify Git Repositories in CEL expressions</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Flux in CEL </span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.26-1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> Ensures that Git repositories used for Flux deployments </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> in a cluster originate from a specific, trusted organization. </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> Prevents the use of untrusted or potentially risky Git repositories. </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> Protects the integrity and security of Flux deployments.</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">github-repositories-only</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="l">GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">namespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">cel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">expressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;object.spec.url.startsWith(&#39;https://github.com/fluxcd/&#39;) || object.spec.url.startsWith(&#39;ssh://git@github.com:fluxcd/&#39;)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="l">.spec.url must be from a repository within the organisation X</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/verify-image-ivpol/verify-image-ivpol/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/verify-image-ivpol/verify-image-ivpol/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/verify-image-ivpol/verify-image-ivpol.yaml" target="-blank">/other/verify-image-ivpol/verify-image-ivpol.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">policies.kyverno.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ImageValidatingPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-image-ivpol</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify Image</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Software Supply Chain Security, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.14.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Using the Cosign project, OCI images may be signed to ensure supply chain </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> security is maintained. Those signatures can be verified before pulling into </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> a cluster. This policy checks the signature of an image repo called </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> its signature against the provided public key. This policy serves as an illustration for </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> how to configure a similar rule and will require replacing with your image(s) and keys.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">webhookConfiguration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">timeoutSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">evaluation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">validationActions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">Deny]</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;UPDATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">matchImageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">glob </span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;docker.io/mohdcode/kyverno*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cosign</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">cosign</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> -----BEGIN PUBLIC KEY----- </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6QsNef3SKYhJVYSVj+ZfbPwJd0pv </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> DLYNHXITZkhIzfE+apcxDjCCkDPcJ3A3zvhPATYOIsCxYPch7Q2JdJLsDQ== </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> -----END PUBLIC KEY-----</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">validations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="sd"> images.containers.map(image, verifyImageSignatures(image, [attestors.cosign])).all(e ,e &gt; 0)</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="sd"> failed the verification</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/verify-image/verify-image/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/verify-image/verify-image/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/verify-image/verify-image.yaml" target="-blank">/other/verify-image/verify-image.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-image</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify Image</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Software Supply Chain Security, EKS Best Practices</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Using the Cosign project, OCI images may be signed to ensure supply chain </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> security is maintained. Those signatures can be verified before pulling into </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> a cluster. This policy checks the signature of an image repo called </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> its signature against the provided public key. This policy serves as an illustration for </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> how to configure a similar rule and will require replacing with your image(s) and keys.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-image</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">verifyImages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">imageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;ghcr.io/kyverno/test-verify-image*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">mutateDigest</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">publicKeys</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="sd"> -----BEGIN PUBLIC KEY----- </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="sd"> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> -----END PUBLIC KEY-----</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/verify-image-cve-2022-42889/verify-image-cve-2022-42889/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/verify-image-cve-2022-42889/verify-image-cve-2022-42889/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/verify-image-cve-2022-42889/verify-image-cve-2022-42889.yaml" target="-blank">/other/verify-image-cve-2022-42889/verify-image-cve-2022-42889.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-image-vulns-cve-2022-42889</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify Image Check CVE-2022-42889</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Software Supply Chain Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.3</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> CVE-2022-42889 is a critical vulnerability in the Apache Commons Text library which </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> could lead to arbitrary code executions and occurs in versions 1.5 through 1.9. Detecting </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> the affected package may be done in an SBOM by identifying the &#34;commons-text&#34; package </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> with one of the affected versions. This policy checks attested SBOMs in CycloneDX format of an image </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> specified under `imageReferences` and denies it if it contains versions 1.5-1.9 of the commons-text </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> package. Using this for your own purposes will require customizing the `imageReferences`, </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> `subject`, and `issuer` fields based on your image signatures and attestations.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">webhookTimeoutSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">10</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cve-2022-42889</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">verifyImages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">imageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;myreg.org/myrepo/someimage*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">attestations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span>- <span class="nt">predicateType</span><span class="p">:</span><span class="w"> </span><span class="l">https://cyclonedx.org/schema</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">keyless</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">subject</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;mysubject&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">issuer</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;myissuer&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">rekor</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l">https://rekor.sigstore.dev</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ components[?name==&#39;commons-text&#39;].version || &#39;none&#39; }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AllNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;1.5&#34;</span><span class="p">,</span><span class="s2">&#34;1.6&#34;</span><span class="p">,</span><span class="s2">&#34;1.7&#34;</span><span class="p">,</span><span class="s2">&#34;1.8&#34;</span><span class="p">,</span><span class="s2">&#34;1.9&#34;</span><span class="p">]</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/verify-image-gcpkms/verify-image-gcpkms/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/verify-image-gcpkms/verify-image-gcpkms/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/verify-image-gcpkms/verify-image-gcpkms.yaml" target="-blank">/other/verify-image-gcpkms/verify-image-gcpkms.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-image-gcpkms</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify Image GCP KMS</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Software Supply Chain Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.1</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="sd"> Using the Cosign project, OCI images may be signed to ensure supply chain </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> security is maintained. Those signatures can be verified before pulling into </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> a cluster. This policy checks the signature of an image repo called </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> its signature against the provided public key. This policy serves as an illustration for </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> how to configure a similar rule and will require replacing with your image(s) and keys.</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-image</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">verifyImages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="nt">imageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;ghcr.io/kyverno/test-verify-image:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="nt">count</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">kms</span><span class="p">:</span><span class="w"> </span><span class="l">gcpkms://projects/omni-163105/locations/asia-south1/keyRings/first-ring/cryptoKeys/jerry/versions/1</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/verify-image-with-multi-keys/verify-image-with-multi-keys/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/verify-image-with-multi-keys/verify-image-with-multi-keys/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml" target="-blank">/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-image-with-multi-keys</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify Image with Multiple Keys</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Software Supply Chain Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.7.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.23&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> There may be multiple keys used to sign images based on </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> the parties involved in the creation process. This image </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> verification policy requires the named image be signed by </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> two separate keys. It will search for a global &#34;production&#34; </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> key in a ConfigMap called `keys` in the `default` Namespace </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> and also a Namespace key in the same ConfigMap.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-image-with-two-keys</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">keys</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">configMap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">keys</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">verifyImages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">imageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;ghcr.io/myorg/myimage*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">required</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>- <span class="nt">count</span><span class="p">:</span><span class="w"> </span><span class="m">2</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>- <span class="nt">keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">publicKeys</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ keys.data.production }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">publicKeys</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ keys.data.{{request.namespace}} }}&#34;</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/verify-manifest-integrity/verify-manifest-integrity/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/verify-manifest-integrity/verify-manifest-integrity/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/verify-manifest-integrity/verify-manifest-integrity.yaml" target="-blank">/other/verify-manifest-integrity/verify-manifest-integrity.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-manifest-integrity</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify Manifest Integrity</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Verifying the integrity of resources is important to ensure no tampering has </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> occurred, and in some cases this may need to be extended to certain YAML manifests </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> deployed to Kubernetes. Starting in Kyverno 1.8, these manifests may be signed with </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> Sigstore and the signature(s) validated to prevent this tampering while still allowing </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> some exceptions on a per-field basis. This policy verifies Deployments are signed with </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> the expected key but ignores the `spec.replicas` field allowing other teams to change just </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="sd"> this value.</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-deployment-allow-replicas</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">manifests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">count</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">publicKeys</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="sd"> -----BEGIN PUBLIC KEY----- </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="sd"> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEStoX3dPCFYFD2uPgTjZOf1I5UFTa </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="sd"> 1tIu7uoGoyTxJqqEq7K2aqU+vy+aK76uQ5mcllc+TymVtcLk10kcKvb3FQ== </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="sd"> -----END PUBLIC KEY-----</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">ignoreFields</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="nt">objects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">fields</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="l">spec.replicas</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/verify-image-slsa/verify-image-slsa/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/verify-image-slsa/verify-image-slsa/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/verify-image-slsa/verify-image-slsa.yaml" target="-blank">/other/verify-image-slsa/verify-image-slsa.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-slsa-provenance-keyless</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify SLSA Provenance (Keyless)</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Software Supply Chain Security</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/minversion</span><span class="p">:</span><span class="w"> </span><span class="m">1.8.3</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.9.0</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> Provenance is used to identify how an artifact was produced </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> and from where it originated. SLSA provenance is an industry-standard </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> method of representing that provenance. This policy verifies that an </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> image has SLSA provenance and was signed by the expected subject and issuer </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> when produced through GitHub Actions. It requires configuration based upon </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="sd"> your own values.</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">webhookTimeoutSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-slsa-keyless</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">verifyImages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="nt">imageReferences</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span>- <span class="s2">&#34;myreg.org/path/repo:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">attestations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>- <span class="nt">predicateType</span><span class="p">:</span><span class="w"> </span><span class="l">https://slsa.dev/provenance/v0.2</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">attestors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span>- <span class="nt">count</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">entries</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">keyless</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">subject</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">issuer</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://token.actions.githubusercontent.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">rekor</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l">https://rekor.sigstore.dev</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="c"># This expression uses a regex pattern to ensure the builder.id in the attestation is equal to the official</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="c"># SLSA provenance generator workflow and uses a tagged release in semver format. If using a specific SLSA</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="c"># provenance generation workflow, you may need to adjust the first input as necessary.</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ regex_match(&#39;^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9].[0-9].[0-9]$&#39;,&#39;{{ builder.id}}&#39;) }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">Equals</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div>https://release-1-16-0--kyverno.netlify.app/policies/other/verify-vpa-target/verify-vpa-target/Mon, 01 Jan 0001 00:00:00 +0000https://release-1-16-0--kyverno.netlify.app/policies/other/verify-vpa-target/verify-vpa-target/<h2 id="policy-definition"> Policy Definition <a href="#policy-definition"> <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" width="24" height="24" viewBox="0 0 24 24"><path d="M0 0h24v24H0z" fill="none"></path><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z"></path></svg> </a> </h2> <p><a href="https://github.com/kyverno/policies/raw/main//other/verify-vpa-target/verify-vpa-target.yaml" target="-blank">/other/verify-vpa-target/verify-vpa-target.yaml</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-vpa-target</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/title</span><span class="p">:</span><span class="w"> </span><span class="l">Verify VerticalPodAutoscaler Target</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/category</span><span class="p">:</span><span class="w"> </span><span class="l">Other</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/severity</span><span class="p">:</span><span class="w"> </span><span class="l">medium</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kyverno-version</span><span class="p">:</span><span class="w"> </span><span class="m">1.11.4</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">kyverno.io/kubernetes-version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.27&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/subject</span><span class="p">:</span><span class="w"> </span><span class="l">VerticalPodAutoscaler</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">policies.kyverno.io/description</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="sd"> VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="sd"> It requires defining a specific target resource by kind and name. There are no built-in </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="sd"> validation checks by the VPA controller to ensure that the target resource exists or that the target </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="sd"> kind is specified correctly. This policy contains two rules, the first of which verifies that the </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="sd"> kind is specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet, which helps avoid typos. </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="sd"> The second rule verifies that the target resource exists before allowing the VPA to be created.</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit</span><span class="w"> </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">verify-kind-name</span><span class="w"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span>- <span class="l">VerticalPodAutoscaler</span><span class="w"> </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="sd"> The target kind must be specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet.</span><span class="w"> </span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">targetRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment | StatefulSet | ReplicaSet | DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">check-targetref</span><span class="w"> </span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">VerticalPodAutoscaler</span><span class="w"> </span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">CREATE</span><span class="w"> </span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">preconditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="l">ReplicaSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span>- <span class="l">DaemonSet</span><span class="w"> </span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.targetRef.kind }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="c"># Builds a mapping of the target kind to the plural form of the resource to be used in the API call.</span><span class="w"> </span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">map</span><span class="w"> </span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">Deployment</span><span class="p">:</span><span class="w"> </span><span class="l">deployments</span><span class="w"> </span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">StatefulSet</span><span class="p">:</span><span class="w"> </span><span class="l">statefulsets</span><span class="w"> </span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">ReplicaSet</span><span class="p">:</span><span class="w"> </span><span class="l">replicasets</span><span class="w"> </span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">DaemonSet</span><span class="p">:</span><span class="w"> </span><span class="l">daemonsets</span><span class="w"> </span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">targetkind</span><span class="w"> </span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">variable</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="l">request.object.spec.targetRef.kind</span><span class="w"> </span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">targets</span><span class="w"> </span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">apiCall</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">urlPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/apis/apps/v1/namespaces/{{ request.namespace }}/{{ map.{{targetkind}} }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">jmesPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;items[].metadata.name&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="sd"> The target {{ request.object.spec.targetRef.kind }} named </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="sd"> {{ request.object.spec.targetRef.name }} does not exist in the </span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="sd"> {{ request.namespace }} namespace.</span><span class="w"> </span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">78</span><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">79</span><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.spec.targetRef.name }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="ln">80</span><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyNotIn</span><span class="w"> </span></span></span><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ targets }}&#34;</span><span class="w"> </span></span></span></code></pre></div>