All Policies
Enforce AppProject with clusterResourceBlacklist in CEL expressions
An AppProject may optionally specify clusterResourceBlacklist which is a blacklisted group of cluster resources. This is often a good practice to ensure AppProjects do not allow more access than needed. This policy is a combination of two rules which enforce that all AppProjects specify clusterResourceBlacklist and that their group and kind have wildcards as values.
Policy Definition
/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: appproject-clusterresourceblacklist
5 annotations:
6 policies.kyverno.io/title: Enforce AppProject with clusterResourceBlacklist in CEL expressions
7 policies.kyverno.io/category: Argo in CEL
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.11.0
10 policies.kyverno.io/minversion: 1.11.0
11 kyverno.io/kubernetes-version: "1.26-1.27"
12 policies.kyverno.io/subject: AppProject
13 policies.kyverno.io/description: >-
14 An AppProject may optionally specify clusterResourceBlacklist which is a blacklisted
15 group of cluster resources. This is often a good practice to ensure AppProjects do
16 not allow more access than needed. This policy is a combination of two rules which
17 enforce that all AppProjects specify clusterResourceBlacklist and that their group
18 and kind have wildcards as values.
19spec:
20 validationFailureAction: Audit
21 background: true
22 rules:
23 - name: has-wildcard-and-validate-clusterresourceblacklist
24 match:
25 any:
26 - resources:
27 kinds:
28 - AppProject
29 operations:
30 - CREATE
31 - UPDATE
32 validate:
33 cel:
34 expressions:
35 - expression: "has(object.spec.clusterResourceBlacklist)"
36 message: "AppProject must specify clusterResourceBlacklist."
37 - expression: "object.spec.clusterResourceBlacklist.all(element, element.group.contains('*') && element.kind.contains('*'))"
38 message: "Wildcards must be present in group and kind for clusterResourceBlacklist."