All Policies
Require Encryption with AWS LoadBalancers in CEL expressions
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
Policy Definition
/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: require-encryption-aws-loadbalancers
5 annotations:
6 policies.kyverno.io/title: Require Encryption with AWS LoadBalancers in CEL expressions
7 policies.kyverno.io/category: AWS, EKS Best Practices in CEL
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Service
10 kyverno.io/kyverno-version: 1.12.1
11 kyverno.io/kubernetes-version: "1.26-1.27"
12 policies.kyverno.io/description: >-
13 Services of type LoadBalancer when deployed inside AWS have support for
14 transport encryption if it is enabled via an annotation. This policy requires
15 that Services of type LoadBalancer contain the annotation
16 service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
17spec:
18 validationFailureAction: Audit
19 background: true
20 rules:
21 - name: aws-loadbalancer-has-ssl-cert
22 match:
23 any:
24 - resources:
25 kinds:
26 - Service
27 operations:
28 - CREATE
29 - UPDATE
30 celPreconditions:
31 - name: "type-should-be-load-balancer"
32 expression: "object.spec.type == 'LoadBalancer'"
33 validate:
34 cel:
35 expressions:
36 - expression: >-
37 object.metadata.?annotations[?'service.beta.kubernetes.io/aws-load-balancer-ssl-cert'].orValue('') != ''
38 message: "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert."