Pods which run containers of very large image size take longer to pull and require more space to store. A user may either inadvertently or purposefully name an image which is unusually large to disrupt operations. This policy checks the size of every container image and blocks if it is over 2 Gibibytes.
apiVersion: policies.kyverno.io/v1alpha1kind: ValidatingPolicymetadata:name: block-large-imagesannotations:policies.kyverno.io/title: Block Large Imagespolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/minversion: 1.15.0policies.kyverno.io/subject: Podpolicies.kyverno.io/description: Pods which run containers of very large image size take longer to pull and require more space to store. A user may either inadvertently or purposefully name an image which is unusually large to disrupt operations. This policy checks the size of every container image and blocks if it is over 2 Gibibytes.spec:evaluation:background:enabled: truevalidationActions:- Auditvariables:- name: allContainersexpression: object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])- name: maxSizeBytesexpression: "2147483648"matchConstraints:resourceRules:- resources:- podsoperations:- CREATE- UPDATEapiGroups:- ""apiVersions:- v1validations:- message: images with size greater than 2Gi not allowedexpression: variables.allContainers.all(container, image.GetMetadata(container.image).manifest.layers.map(layer, layer.size).sum() <= variables.maxSizeBytes)
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.