Prevent Disabling Istio Sidecar Injection in CEL expressions

One way sidecar injection in an Istio service mesh may be accomplished is by defining an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh thereby reducing visibility. This policy ensures that Pods cannot set the annotation `sidecar.istio.io/inject` to a value of `false`.

Policy Definition

/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: prevent-disabling-injection-pods
 5  annotations:
 6    policies.kyverno.io/title: Prevent Disabling Istio Sidecar Injection in CEL expressions
 7    policies.kyverno.io/category: Istio in CEL 
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.0
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      One way sidecar injection in an Istio service mesh may be accomplished is by defining
15      an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh
16      thereby reducing visibility. This policy ensures that Pods cannot set the annotation
17      `sidecar.istio.io/inject` to a value of `false`.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22  - name: prohibit-inject-annotation
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28          operations:
29          - CREATE
30          - UPDATE
31    validate:
32      cel:
33        expressions:
34          - expression: >-
35              object.metadata.?annotations[?'sidecar.istio.io/inject'].orValue('') != 'false'
36            message: "Pods may not disable sidecar injection by setting the annotation sidecar.istio.io/inject to a value of false."

Create policy issue