All Policies

Prevent Linkerd Pod Injection Override

Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to `disabled` may effectively disable mesh participation for that workload reducing security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods.

Policy Definition

/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: prevent-linkerd-pod-injection-override
 5  annotations:
 6    policies.kyverno.io/title: Prevent Linkerd Pod Injection Override
 7    policies.kyverno.io/category: Linkerd
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to
12      `disabled` may effectively disable mesh participation for that workload reducing
13      security and visibility. This policy prevents setting the annotation `linkerd.io/inject`
14      to `disabled` for Pods.
15spec:
16  validationFailureAction: Audit
17  background: true
18  rules:
19  - name: pod-injection-override
20    match:
21      any:
22      - resources:
23          kinds:
24          - Pod
25    validate:
26      message: "Pods may not disable sidecar injection."
27      pattern:
28        metadata:
29          =(annotations):
30            =(linkerd.io/inject): "!disabled"
Create policy issue