An AuthorizationPolicy is used to provide access controls for traffic in the mesh and can be defined at multiple levels. For the Namespace level, all Namespaces should have at least one AuthorizationPolicy. This policy, designed to run in background mode for reporting purposes, ensures every Namespace has at least one AuthorizationPolicy.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: require-authorizationpoliciesannotations:policies.kyverno.io/title: Require Istio AuthorizationPoliciespolicies.kyverno.io/category: Istiopolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.8.0policies.kyverno.io/minversion: 1.6.0kyverno.io/kubernetes-version: "1.24"policies.kyverno.io/subject: AuthorizationPolicypolicies.kyverno.io/description: An AuthorizationPolicy is used to provide access controls for traffic in the mesh and can be defined at multiple levels. For the Namespace level, all Namespaces should have at least one AuthorizationPolicy. This policy, designed to run in background mode for reporting purposes, ensures every Namespace has at least one AuthorizationPolicy.spec:validationFailureAction: Auditbackground: truerules:- name: check-authz-polmatch:any:- resources:kinds:- Namespacecontext:- name: allauthorizationpoliciesapiCall:urlPath: /apis/security.istio.io/v1beta1/authorizationpoliciesjmesPath: items[].metadata.namespacevalidate:message: All Namespaces must have an AuthorizationPolicy.deny:conditions:all:- key: "{{request.object.metadata.name}}"operator: AnyNotInvalue: "{{allauthorizationpolicies}}"
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.