Check Linkerd AuthorizationPolicy

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: check-linkerd-authorizationpolicy
 5  annotations:
 6    policies.kyverno.io/title: Check Linkerd AuthorizationPolicy
 7    policies.kyverno.io/category: Linkerd
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: AuthorizationPolicy
10    kyverno.io/kyverno-version: "1.8.0"
11    kyverno.io/kubernetes-version: "1.24"
12    policies.kyverno.io/description: >-
13      As of Linkerd 2.12, an AuthorizationPolicy is a resource used to selectively allow traffic
14      to either a Server or HTTPRoute resource. Creating AuthorizationPolicies is needed when
15      a Server exists in order to control what traffic is permitted within the mesh to the Pods
16      selected by the Server or HTTPRoute. This policy, requiring Linkerd 2.12+, checks incoming
17      AuthorizationPolicy resources to ensure that either a matching Server or HTTPRoute exists
18      first.
19spec:
20  validationFailureAction: Audit
21  background: true
22  rules:
23  - name: check-server-exists
24    match:
25      any:
26      - resources:
27          kinds:
28          - AuthorizationPolicy
29    context:
30    - name: servers
31      apiCall:
32        urlPath: "/apis/policy.linkerd.io/v1beta1/namespaces/{{request.namespace}}/servers"
33        jmesPath: "items[].metadata.name || `[]`"
34    - name: httproutes
35      apiCall:
36        urlPath: "/apis/policy.linkerd.io/v1beta1/namespaces/{{request.namespace}}/httproutes"
37        jmesPath: "items[].metadata.name || `[]`"
38    validate:
39      message: "Server or HTTPRoute not found for this AuthorizationPolicy."
40      deny:
41        conditions:
42          all:
43          - key: "{{request.object.spec.targetRef.name}}"
44            operator: AnyNotIn
45            value: "{{servers}}"
46          - key: "{{request.object.spec.targetRef.name}}"
47            operator: AnyNotIn
48            value: "{{httproutes}}"