All Policies
Policy for PolicyExceptions
A PolicyException grants the applicable resource(s) or subject(s) the ability to bypass an existing Kyverno policy. Care should be taken to ensure that the allowed PolicyExceptions are scoped fine enough and according to your organization's operation. This is a Kyverno policy intended to provide guardrails for Kyverno PolicyExceptions and contains a number of rules which may help with these scoping best practices. These rules may be changed/removed depending on the exception practices to be implemented.
Policy Definition
/other/policy-for-exceptions/policy-for-exceptions.yaml
1apiVersion: kyverno.io/v2beta1
2kind: ClusterPolicy
3metadata:
4 name: policy-for-exceptions
5 annotations:
6 policies.kyverno.io/title: Policy for PolicyExceptions
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/minversion: 1.9.0
9 kyverno.io/kyverno-version: 1.9.0
10 kyverno.io/kubernetes-version: "1.24"
11 policies.kyverno.io/subject: PolicyException
12 policies.kyverno.io/description: >-
13 A PolicyException grants the applicable resource(s) or subject(s) the ability
14 to bypass an existing Kyverno policy. Care should be taken to ensure that
15 the allowed PolicyExceptions are scoped fine enough and according to your
16 organization's operation. This is a Kyverno policy intended to provide guardrails
17 for Kyverno PolicyExceptions and contains a number of rules which may help
18 with these scoping best practices. These rules may be changed/removed depending
19 on the exception practices to be implemented.
20spec:
21 validationFailureAction: Audit
22 background: false
23 rules:
24 - name: single-policy
25 match:
26 any:
27 - resources:
28 kinds:
29 - PolicyException
30 validate:
31 message: >-
32 An exception is only allowed for a single policy.
33 Please create a separate exception per policy.
34 deny:
35 conditions:
36 any:
37 - key: "{{request.object.spec.exceptions[] | length(@)}}"
38 operator: GreaterThan
39 value: 1
40 - name: require-match-name
41 match:
42 any:
43 - resources:
44 kinds:
45 - PolicyException
46 validate:
47 message: >-
48 An exception must explicitly specify a name for a resource match.
49 pattern:
50 spec:
51 match:
52 =(any):
53 - resources:
54 names: "?*"
55 =(all):
56 - resources:
57 names: "?*"
58 - name: require-subject
59 match:
60 any:
61 - resources:
62 kinds:
63 - PolicyException
64 validate:
65 message: >-
66 An exception must explicitly specify a subject which is expected to create the resource.
67 pattern:
68 spec:
69 match:
70 =(any):
71 - subjects:
72 - name: "?*"
73 =(all):
74 - subjects:
75 - name: "?*"
76 - name: no-cross-namespace-exceptions
77 match:
78 any:
79 - resources:
80 kinds:
81 - PolicyException
82 validate:
83 message: >-
84 An exception can only be created in the same Namespace as the resource being excluded.
85 deny:
86 conditions:
87 any:
88 - key: "{{ request.object.spec.match.[any, all][].resources[].namespaces[] || `[]`}}"
89 operator: AnyNotIn
90 value: "{{ request.namespace }}"
91 - name: namespaced-exceptions-only
92 match:
93 any:
94 - resources:
95 kinds:
96 - PolicyException
97 validate:
98 message: >-
99 An exception can only be created for a Namespaced resource, and a Namespace is required.
100 foreach:
101 - list: request.object.spec.match.[any, all][]
102 deny:
103 conditions:
104 any:
105 - key: "{{ element.resources.namespaces[] || `[]` | length(@) }}"
106 operator: Equals
107 value: 0
108 - name: policy-namespace-match-polex-namespace
109 match:
110 any:
111 - resources:
112 kinds:
113 - PolicyException
114 validate:
115 message: >-
116 An exception may not be provided for a Namespaced Policy in another Namespace.
117 foreach:
118 - list: request.object.spec.exceptions[]
119 preconditions:
120 any:
121 - key: "{{element.policyName}}"
122 operator: Equals
123 value: "*/*"
124 deny:
125 conditions:
126 any:
127 - key: "{{ element.policyName}}"
128 operator: NotEquals
129 value: "{{request.namespace}}/*"