All Policies
Prevent Linkerd Port Skipping in CEL expressions
Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting them from mTLS. This can be important in some narrow use cases but generally should be avoided. This policy prevents Pods from setting the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`.
Policy Definition
/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: prevent-linkerd-port-skipping
5 annotations:
6 policies.kyverno.io/title: Prevent Linkerd Port Skipping in CEL expressions
7 policies.kyverno.io/category: Linkerd in CEL
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/minversion: 1.11.0
11 kyverno.io/kubernetes-version: "1.26-1.27"
12 policies.kyverno.io/description: >-
13 Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting
14 them from mTLS. This can be important in some narrow use cases but
15 generally should be avoided. This policy prevents Pods from setting
16 the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`.
17spec:
18 validationFailureAction: Audit
19 background: true
20 rules:
21 - name: pod-prevent-port-skipping
22 match:
23 any:
24 - resources:
25 kinds:
26 - Pod
27 operations:
28 - CREATE
29 - UPDATE
30 validate:
31 cel:
32 expressions:
33 - expression: >-
34 !has(object.metadata.annotations) ||
35 (!('config.linkerd.io/skip-inbound-ports' in object.metadata.annotations) && !('config.linkerd.io/skip-outbound-ports' in object.metadata.annotations))
36 message: "Pods may not skip ports. The annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports` must not be set."
yaml