Require Labels in CEL expressions

Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.

Policy Definition

/best-practices-cel/require-labels/require-labels.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-labels
 5  annotations:
 6    policies.kyverno.io/title: Require Labels in CEL expressions
 7    policies.kyverno.io/category: Best Practices in CEL 
 8    policies.kyverno.io/minversion: 1.11.0
 9    kyverno.io/kubernetes-version: "1.26-1.27"
10    policies.kyverno.io/severity: medium
11    policies.kyverno.io/subject: Pod, Label
12    policies.kyverno.io/description: >-
13      Define and use labels that identify semantic attributes of your application or Deployment.
14      A common set of labels allows tools to work collaboratively, describing objects in a common manner that
15      all tools can understand. The recommended labels describe applications in a way that can be
16      queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
17spec:
18  validationFailureAction: Audit
19  background: true
20  rules:
21  - name: check-for-labels
22    match:
23      any:
24      - resources:
25          kinds:
26          - Pod
27          operations:
28          - CREATE
29          - UPDATE
30    validate:
31      cel:
32        expressions:
33          - expression: >-
34              object.metadata.?labels[?'app.kubernetes.io/name'].orValue('') != ""
35            message: "The label `app.kubernetes.io/name` is required."

Create policy issue