All Policies

Verify Flux Sources in CEL expressions

Flux source APIs include a number of different sources such as GitRepository, Bucket, HelmRepository, and ImageRepository resources. Each of these by default can be pointed to any location. In a production environment, it may be desired to restrict these to only known sources to prevent accessing outside sources. This policy verifies that each of the Flux sources comes from a trusted location.

Policy Definition

/flux-cel/verify-flux-sources/verify-flux-sources.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: verify-flux-sources
 5  annotations:
 6    policies.kyverno.io/title: Verify Flux Sources in CEL expressions
 7    policies.kyverno.io/category: Flux in CEL 
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.0
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/subject: GitRepository, Bucket, HelmRepository, ImageRepository
13    policies.kyverno.io/description: >-
14      Flux source APIs include a number of different sources such as
15      GitRepository, Bucket, HelmRepository, and ImageRepository resources. Each of these
16      by default can be pointed to any location. In a production environment,
17      it may be desired to restrict these to only known sources to prevent
18      accessing outside sources. This policy verifies that each of the Flux
19      sources comes from a trusted location.
20spec:  
21  validationFailureAction: Audit
22  rules:
23    - name: flux-github-repositories
24      match:
25        any:
26        - resources:
27            kinds:
28              - GitRepository
29            operations:
30            - CREATE
31            - UPDATE
32      exclude:
33        any:
34        - resources:
35            namespaces:
36              - flux-system
37      validate:
38        cel:
39          expressions: 
40            - expression: "object.spec.url.startsWith('https://github.com/myorg/') || object.spec.url.startsWith('ssh://git@github.com:myorg/')"
41              message: ".spec.url must be from a repository within the myorg organization."
42    - name: flux-buckets
43      match:
44        any:
45        - resources:
46            kinds:
47              - Bucket
48            operations:
49            - CREATE
50            - UPDATE
51      exclude:
52        any:
53        - resources:
54            namespaces:
55              - flux-system
56      validate:
57        cel:
58          expressions:
59            - expression: "object.spec.?endpoint.orValue('').endsWith('.myorg.com')"
60              message: ".spec.endpoint must reference an address within the myorg organization."
61    - name: flux-helm-repositories
62      match:
63        any:
64        - resources:
65            kinds:
66              - HelmRepository
67            operations:
68            - CREATE
69            - UPDATE
70      exclude:
71        any:
72        - resources:
73            namespaces:
74              - flux-system
75      validate:
76        cel:
77          expressions:
78            - expression: "object.spec.url.matches('^https://[a-zA-Z0-9-]+[.]myorg[.]com/.*$')"
79              message: ".spec.url must be from a repository within the myorg organization."
80    - name: flux-image-repositories
81      match:
82        any:
83        - resources:
84            kinds:
85              - ImageRepository
86            operations:
87            - CREATE
88            - UPDATE
89      exclude:
90        any:
91        - resources:
92            namespaces:
93              - flux-system
94      validate:
95        cel:
96          expressions:
97            - expression: "object.spec.?image.orValue('').startsWith('ghcr.io/myorg/')"
98              message: ".spec.image must be from an image repository within the myorg organization."
Create policy issue