All Policies

Verify Git Repositories

Ensures that Git repositories used for Flux deployments in a cluster originate from a specific, trusted organization. Prevents the use of untrusted or potentially risky Git repositories. Protects the integrity and security of Flux deployments.

Policy Definition

/flux/verify-git-repositories/verify-git-repositories.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: verify-git-repositories
 5  annotations:
 6    policies.kyverno.io/title: Verify Git Repositories
 7    policies.kyverno.io/category: Flux
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kubernetes-version: "1.23"
10    policies.kyverno.io/subject: GitRepository
11    policies.kyverno.io/description: >-
12      Ensures that Git repositories used for Flux deployments
13      in a cluster originate from a specific, trusted organization.
14      Prevents the use of untrusted or potentially risky Git repositories.
15      Protects the integrity and security of Flux deployments.
16spec:  
17  validationFailureAction: Audit
18  rules:
19    - name: github-repositories-only
20      match:
21        any:
22        - resources:
23            kinds:
24              - GitRepository
25      exclude:
26        any:
27        - resources:
28            namespaces:
29              - flux-system
30      validate:
31        message: .spec.url must be from a repository within the organisation X
32        pattern:
33          spec:
34            url: https://github.com/fluxcd/?* | ssh://git@github.com:fluxcd/?*
Create policy issue