All Policies

Namespace Inventory Check

In cases such as multi-tenancy where new Namespaces must be fully provisioned before they can be used, it may not be easy to declare and understand if/when the Namespace is ready. Having a policy which defines all the resources which are required for each Namespace can assist in determining compliance. This policy, expected to be run in background mode only, performs a Namespace inventory check to ensure that all Namespaces have a ResourceQuota and NetworkPolicy. Additional rules may be written to extend the check for your needs. By default, background scans occur every one hour which may be changed with an additional container flag. Please see the installation documentation for details.

Policy Definition

/other/namespace-inventory-check/namespace-inventory-check.yaml

 1apiVersion: kyverno.io/v2beta1
 2kind: ClusterPolicy
 3metadata:
 4  name: namespace-inventory-check
 5  annotations:
 6    policies.kyverno.io/title: Namespace Inventory Check
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Namespace
10    kyverno.io/kyverno-version: 1.9.0
11    policies.kyverno.io/minversion: 1.9.0
12    kyverno.io/kubernetes-version: "1.24"
13    policies.kyverno.io/description: >-
14      In cases such as multi-tenancy where new Namespaces must be fully
15      provisioned before they can be used, it may not be easy to declare and
16      understand if/when the Namespace is ready. Having a policy which defines
17      all the resources which are required for each Namespace can assist in determining
18      compliance. This policy, expected to be run in background mode only, performs a Namespace
19      inventory check to ensure that all Namespaces have a ResourceQuota and NetworkPolicy.
20      Additional rules may be written to extend the check for your needs. By default, background
21      scans occur every one hour which may be changed with an additional container flag. Please
22      see the installation documentation for details.
23spec:
24  background: true
25  validationFailureAction: Audit
26  rules:
27  - name: resourcequotas
28    match:
29      any:
30      - resources:
31          kinds:
32          - Namespace
33    exclude:
34      any:
35      - resources:
36          namespaces:
37          - kube-system
38          - kube-public
39          - kube-node-lease
40    context:
41    - name: resourcequotas
42      apiCall:
43        urlPath: "/api/v1/namespaces/{{request.object.metadata.name}}/resourcequotas"
44        jmesPath: "items[] | length(@)"
45    validate:
46      message: "Every Namespace must have at least one ResourceQuota."
47      deny:
48        conditions:
49          all:
50          - key: "{{ resourcequotas }}"
51            operator: Equals
52            value: 0
53  - name: networkpolicies
54    match:
55      any:
56      - resources:
57          kinds:
58          - Namespace
59    exclude:
60      any:
61      - resources:
62          namespaces:
63          - kube-system
64          - kube-public
65          - kube-node-lease
66    context:
67    - name: netpols
68      apiCall:
69        urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.object.metadata.name}}/networkpolicies"
70        jmesPath: "items[] | length(@)"
71    validate:
72      message: "Every Namespace must have at least one NetworkPolicy."
73      deny:
74        conditions:
75          all:
76          - key: "{{ netpols }}"
77            operator: Equals
78            value: 0
Create policy issue