All Policies

Prevent Disabling Istio Sidecar Injection

One way sidecar injection in an Istio service mesh may be accomplished is by defining an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh thereby reducing visibility. This policy ensures that Pods cannot set the annotation `sidecar.istio.io/inject` to a value of `false`.

Policy Definition

/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: prevent-disabling-injection-pods
 5  annotations:
 6    policies.kyverno.io/title: Prevent Disabling Istio Sidecar Injection
 7    policies.kyverno.io/category: Istio
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.8.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.24"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      One way sidecar injection in an Istio service mesh may be accomplished is by defining
15      an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh
16      thereby reducing visibility. This policy ensures that Pods cannot set the annotation
17      `sidecar.istio.io/inject` to a value of `false`.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22  - name: prohibit-inject-annotation
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    validate:
29      message: "Pods may not disable sidecar injection by setting the annotation sidecar.istio.io/inject to a value of false."
30      pattern:
31        metadata:
32          =(annotations):
33            =(sidecar.istio.io/inject): "!false"
Create policy issue