All Policies

Verify Flux Sources

Flux source APIs include a number of different sources such as GitRepository, Bucket, HelmRepository, and ImageRepository resources. Each of these by default can be pointed to any location. In a production environment, it may be desired to restrict these to only known sources to prevent accessing outside sources. This policy verifies that each of the Flux sources comes from a trusted location.

Policy Definition

/flux/verify-flux-sources/verify-flux-sources.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: verify-flux-sources
 5  annotations:
 6    policies.kyverno.io/title: Verify Flux Sources
 7    policies.kyverno.io/category: Flux
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.2
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: GitRepository, Bucket, HelmRepository, ImageRepository
13    policies.kyverno.io/description: >-
14      Flux source APIs include a number of different sources such as
15      GitRepository, Bucket, HelmRepository, and ImageRepository resources. Each of these
16      by default can be pointed to any location. In a production environment,
17      it may be desired to restrict these to only known sources to prevent
18      accessing outside sources. This policy verifies that each of the Flux
19      sources comes from a trusted location.      
20spec:  
21  validationFailureAction: audit
22  rules:
23    - name: flux-github-repositories
24      match:
25        any:
26        - resources:
27            kinds:
28              - GitRepository
29      exclude:
30        any:
31        - resources:
32            namespaces:
33              - flux-system
34      validate:
35        message: ".spec.url must be from a repository within the myorg organization."
36        pattern:
37          spec:
38            url: "https://github.com/myorg/?* | ssh://git@github.com:myorg/?*"
39    - name: flux-buckets
40      match:
41        any:
42        - resources:
43            kinds:
44              - Bucket
45      exclude:
46        any:
47        - resources:
48            namespaces:
49              - flux-system
50      validate:
51        message: ".spec.endpoint must reference an address within the myorg organization."
52        pattern:
53          spec:
54            endpoint: "*.myorg.com"
55    - name: flux-helm-repositories
56      match:
57        any:
58        - resources:
59            kinds:
60              - HelmRepository
61      exclude:
62        any:
63        - resources:
64            namespaces:
65              - flux-system
66      validate:
67        message: ".spec.url must be from a repository within the myorg organization."
68        pattern:
69          spec:
70            url: "https://?*.myorg.com/*"
71    - name: flux-image-repositories
72      match:
73        any:
74        - resources:
75            kinds:
76              - ImageRepository
77      exclude:
78        any:
79        - resources:
80            namespaces:
81              - flux-system
82      validate:
83        message: ".spec.image must be from an image repository within the myorg organization."
84        pattern:
85          spec:
86            image: "ghcr.io/myorg/*"
Create policy issue