All Policies

Require Linkerd Mesh Injection in CEL expressions

Sidecar proxy injection in Linkerd may be handled at the Namespace level by setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`.

Policy Definition

/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-linkerd-mesh-injection
 5  annotations:
 6    policies.kyverno.io/title: Require Linkerd Mesh Injection in CEL expressions
 7    policies.kyverno.io/category: Linkerd in CEL 
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Namespace, Annotation
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/description: >-
13      Sidecar proxy injection in Linkerd may be handled at the Namespace level by
14      setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that
15      all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`.
16spec:
17  validationFailureAction: Audit
18  background: true
19  rules:
20  - name: require-mesh-annotation
21    match:
22      any:
23      - resources:
24          kinds:
25          - Namespace
26          operations:
27          - CREATE
28          - UPDATE
29    validate:
30      cel:
31        expressions:
32          - expression: "object.metadata.?annotations[?'linkerd.io/inject'].orValue('') == 'enabled'"
33            message: "All Namespaces must set the annotation `linkerd.io/inject` to `enabled`."
Create policy issue