All Policies

Require Encryption with AWS LoadBalancers in CEL expressions

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Policy Definition

/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml

1apiVersion: kyverno.io/v1 2kind: ClusterPolicy 3metadata: 4 name: require-encryption-aws-loadbalancers 5 annotations: 6 policies.kyverno.io/title: Require Encryption with AWS LoadBalancers in CEL expressions 7 policies.kyverno.io/category: AWS, EKS Best Practices in CEL 8 policies.kyverno.io/severity: medium 9 policies.kyverno.io/subject: Service 10 kyverno.io/kyverno-version: 1.12.1 11 kyverno.io/kubernetes-version: "1.26-1.27" 12 policies.kyverno.io/description: >- 13 Services of type LoadBalancer when deployed inside AWS have support for 14 transport encryption if it is enabled via an annotation. This policy requires 15 that Services of type LoadBalancer contain the annotation 16 service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value. 17spec: 18 validationFailureAction: Audit 19 background: true 20 rules: 21 - name: aws-loadbalancer-has-ssl-cert 22 match: 23 any: 24 - resources: 25 kinds: 26 - Service 27 operations: 28 - CREATE 29 - UPDATE 30 celPreconditions: 31 - name: "type-should-be-load-balancer" 32 expression: "object.spec.type == 'LoadBalancer'" 33 validate: 34 cel: 35 expressions: 36 - expression: >- 37 object.metadata.?annotations[?'service.beta.kubernetes.io/aws-load-balancer-ssl-cert'].orValue('') != '' 38 message: "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert."
yaml