All Policies
Check Environment Variables in CEL expressions
Environment variables control many aspects of a container's execution and are often the source of many different configuration settings. Being able to ensure that the value of a specific environment variable either is or is not set to a specific string is useful to maintain such controls. This policy checks every container to ensure that if the `DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`.
Policy Definition
/other-cel/check-env-vars/check-env-vars.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: check-env-vars
5 annotations:
6 policies.kyverno.io/title: Check Environment Variables in CEL expressions
7 policies.kyverno.io/severity: medium
8 policies.kyverno.io/category: Other in CEL
9 policies.kyverno.io/subject: Pod
10 kyverno.io/kubernetes-version: "1.26-1.27"
11 kyverno.io/kyverno-version: 1.11.0
12 policies.kyverno.io/description: >-
13 Environment variables control many aspects of a container's execution and are
14 often the source of many different configuration settings. Being able to ensure that
15 the value of a specific environment variable either is or is not set to a specific string
16 is useful to maintain such controls. This policy checks every container to ensure that if the
17 `DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`.
18spec:
19 background: true
20 validationFailureAction: Audit
21 rules:
22 - name: check-disable-opa
23 match:
24 any:
25 - resources:
26 kinds:
27 - Pod
28 operations:
29 - CREATE
30 - UPDATE
31 validate:
32 cel:
33 expressions:
34 - expression: >-
35 !object.spec.containers.exists(container,
36 container.?env.orValue([]).exists(e, e.name == 'DISABLE_OPA' && e.value == 'true'))
37 message: "DISABLE_OPA must not be set to true."