All Policies

Application Field Validation in CEL expressions

This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.

Policy Definition

/argo-cel/application-field-validation/application-field-validation.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: application-field-validation
 5  annotations:
 6    policies.kyverno.io/title: Application Field Validation in CEL expressions
 7    policies.kyverno.io/category: Argo in CEL 
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Application
10    kyverno.io/kyverno-version: 1.11.0
11    policies.kyverno.io/minversion: 1.11.0
12    kyverno.io/kubernetes-version: "1.26-1.27"
13    policies.kyverno.io/description: >-
14      This policy performs some best practices validation on Application fields.
15      Path or chart must be specified but never both. And destination.name or
16      destination.server must be specified but never both.
17spec:
18  validationFailureAction: Audit
19  background: true
20  rules:
21    - name: source-path-chart
22      match:
23        any:
24        - resources:
25            kinds:
26            - Application
27            operations:
28            - CREATE
29            - UPDATE
30      validate:
31        cel:
32          expressions:
33            - expression: >-
34                has(object.spec.source) &&
35                (
36                  (has(object.spec.source.path) && !has(object.spec.source.chart)) ||
37                  (!has(object.spec.source.path) && has(object.spec.source.chart))
38                )
39              message: >-
40                `spec.source.path` OR `spec.source.chart` should be specified but never both.
41    - name: destination-server-name
42      match:
43        any:
44        - resources:
45            kinds:
46            - Application
47            operations:
48            - CREATE
49            - UPDATE
50      validate:
51        cel:
52          expressions:
53            - expression: >-
54                has(object.spec.destination) &&
55                (
56                  (has(object.spec.destination.server) && !has(object.spec.destination.name)) ||
57                  (!has(object.spec.destination.server) && has(object.spec.destination.name))
58                )
59              message: >-
60                `spec.destination.server` OR `spec.destination.name` should be specified but never both.
Create policy issue