Restrict Service Port Range in CEL expressions

Services which are allowed to expose any port number may be able to impact other applications running on the Node which require them, or may make specifying security policy externally more challenging. This policy enforces that only the port range 32000 to 33000 may be used for Service resources.

Policy Definition

/other-cel/restrict-service-port-range/restrict-service-port-range.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-service-port-range
 5  annotations:
 6    policies.kyverno.io/title: Restrict Service Port Range in CEL expressions
 7    policies.kyverno.io/category: Other in CEL 
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.0
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/subject: Service
13    policies.kyverno.io/description: >-
14      Services which are allowed to expose any port number may be able
15      to impact other applications running on the Node which require them,
16      or may make specifying security policy externally more challenging.
17      This policy enforces that only the port range 32000 to 33000 may
18      be used for Service resources.
19spec:
20  validationFailureAction: Audit
21  rules:
22  - name: restrict-port-range
23    match:
24      any:
25      - resources:
26          kinds:
27          - Service
28          operations:
29          - CREATE
30          - UPDATE
31    validate:
32      cel:
33        expressions:
34          - expression: "object.spec.ports.all(p, p.port >= 32000 && p.port <= 33000)"
35            message: Ports must be between 32000-33000

Create policy issue