All Policies
Verify Flux Sources
Flux source APIs include a number of different sources such as GitRepository, Bucket, HelmRepository, and ImageRepository resources. Each of these by default can be pointed to any location. In a production environment, it may be desired to restrict these to only known sources to prevent accessing outside sources. This policy verifies that each of the Flux sources comes from a trusted location.
Policy Definition
/flux/verify-flux-sources/verify-flux-sources.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: verify-flux-sources
5 annotations:
6 policies.kyverno.io/title: Verify Flux Sources
7 policies.kyverno.io/category: Flux
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.6.2
10 policies.kyverno.io/minversion: 1.6.0
11 kyverno.io/kubernetes-version: "1.23"
12 policies.kyverno.io/subject: GitRepository, Bucket, HelmRepository, ImageRepository
13 policies.kyverno.io/description: >-
14 Flux source APIs include a number of different sources such as
15 GitRepository, Bucket, HelmRepository, and ImageRepository resources. Each of these
16 by default can be pointed to any location. In a production environment,
17 it may be desired to restrict these to only known sources to prevent
18 accessing outside sources. This policy verifies that each of the Flux
19 sources comes from a trusted location.
20spec:
21 validationFailureAction: audit
22 rules:
23 - name: flux-github-repositories
24 match:
25 any:
26 - resources:
27 kinds:
28 - GitRepository
29 exclude:
30 any:
31 - resources:
32 namespaces:
33 - flux-system
34 validate:
35 message: ".spec.url must be from a repository within the myorg organization."
36 pattern:
37 spec:
38 url: "https://github.com/myorg/?* | ssh://git@github.com:myorg/?*"
39 - name: flux-buckets
40 match:
41 any:
42 - resources:
43 kinds:
44 - Bucket
45 exclude:
46 any:
47 - resources:
48 namespaces:
49 - flux-system
50 validate:
51 message: ".spec.endpoint must reference an address within the myorg organization."
52 pattern:
53 spec:
54 endpoint: "*.myorg.com"
55 - name: flux-helm-repositories
56 match:
57 any:
58 - resources:
59 kinds:
60 - HelmRepository
61 exclude:
62 any:
63 - resources:
64 namespaces:
65 - flux-system
66 validate:
67 message: ".spec.url must be from a repository within the myorg organization."
68 pattern:
69 spec:
70 url: "https://?*.myorg.com/*"
71 - name: flux-image-repositories
72 match:
73 any:
74 - resources:
75 kinds:
76 - ImageRepository
77 exclude:
78 any:
79 - resources:
80 namespaces:
81 - flux-system
82 validate:
83 message: ".spec.image must be from an image repository within the myorg organization."
84 pattern:
85 spec:
86 image: "ghcr.io/myorg/*"