All Policies

Enforce AppProject with clusterResourceBlacklist

An AppProject may optionally specify clusterResourceBlacklist which is a blacklisted group of cluster resources. This is often a good practice to ensure AppProjects do not allow more access than needed. This policy is a combination of two rules which enforce that all AppProjects specify clusterResourceBlacklist and that their group and kind have wildcards as values.

Policy Definition

/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: appproject-clusterresourceblacklist
 5  annotations:
 6    policies.kyverno.io/title: Enforce AppProject with clusterResourceBlacklist
 7    policies.kyverno.io/category: Argo
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.2
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: AppProject
13    policies.kyverno.io/description: >-
14      An AppProject may optionally specify clusterResourceBlacklist which is a blacklisted
15      group of cluster resources. This is often a good practice to ensure AppProjects do
16      not allow more access than needed. This policy is a combination of two rules which
17      enforce that all AppProjects specify clusterResourceBlacklist and that their group
18      and kind have wildcards as values.
19spec:
20  validationFailureAction: Audit
21  background: true
22  rules:
23    - name: has-wildcard
24      match:
25        any:
26        - resources:
27            kinds:
28              - AppProject
29      preconditions:
30        all:
31        - key: "{{ request.operation || 'BACKGROUND' }}"
32          operator: AnyIn
33          value: ["CREATE", "UPDATE"]
34      validate:
35        message: "Wildcards must be present in group and kind for clusterResourceBlacklist."
36        foreach:
37        - list: "request.object.spec.clusterResourceBlacklist"
38          deny:
39            conditions:
40              any:
41              - key: "{{ contains(element.group, '*') }}"
42                operator: Equals
43                value: false
44              - key: "{{ contains(element.kind, '*') }}"
45                operator: Equals
46                value: false
47    - name: validate-clusterresourceblacklist
48      match:
49        any:
50        - resources:
51            kinds:
52              - AppProject
53      preconditions:
54        all:
55        - key: "{{ request.operation || 'BACKGROUND' }}"
56          operator: AnyIn
57          value: ["CREATE", "UPDATE"]
58      validate:
59        message: "AppProject must specify clusterResourceBlacklist."
60        deny:
61          conditions:
62            any:
63            - key: clusterResourceBlacklist
64              operator: AnyNotIn
65              value: "{{ request.object.spec.keys(@) }}"
Create policy issue