A PolicyException grants the applicable resource(s) or subject(s) the ability to bypass an existing Kyverno policy. Care should be taken to ensure that the allowed PolicyExceptions are scoped fine enough and according to your organization's operation. This is a Kyverno policy intended to provide guardrails for Kyverno PolicyExceptions and contains a number of rules which may help with these scoping best practices. These rules may be changed/removed depending on the exception practices to be implemented.
apiVersion: kyverno.io/v2beta1kind: ClusterPolicymetadata:name: policy-for-exceptionsannotations:policies.kyverno.io/title: Policy for PolicyExceptionspolicies.kyverno.io/category: Samplepolicies.kyverno.io/minversion: 1.9.0kyverno.io/kyverno-version: 1.9.0kyverno.io/kubernetes-version: "1.24"policies.kyverno.io/subject: PolicyExceptionpolicies.kyverno.io/description: A PolicyException grants the applicable resource(s) or subject(s) the ability to bypass an existing Kyverno policy. Care should be taken to ensure that the allowed PolicyExceptions are scoped fine enough and according to your organization's operation. This is a Kyverno policy intended to provide guardrails for Kyverno PolicyExceptions and contains a number of rules which may help with these scoping best practices. These rules may be changed/removed depending on the exception practices to be implemented.spec:validationFailureAction: Auditbackground: falserules:- name: single-policymatch:any:- resources:kinds:- PolicyExceptionvalidate:message: An exception is only allowed for a single policy. Please create a separate exception per policy.deny:conditions:any:- key: "{{request.object.spec.exceptions[] | length(@)}}"operator: GreaterThanvalue: 1- name: require-match-namematch:any:- resources:kinds:- PolicyExceptionvalidate:message: An exception must explicitly specify a name for a resource match.pattern:spec:match:"=(any)":- resources:names: "?*""=(all)":- resources:names: "?*"- name: require-subjectmatch:any:- resources:kinds:- PolicyExceptionvalidate:message: An exception must explicitly specify a subject which is expected to create the resource.pattern:spec:match:"=(any)":- subjects:- name: "?*""=(all)":- subjects:- name: "?*"- name: no-cross-namespace-exceptionsmatch:any:- resources:kinds:- PolicyExceptionvalidate:message: An exception can only be created in the same Namespace as the resource being excluded.deny:conditions:any:- key: "{{ request.object.spec.match.[any, all][].resources[].namespaces[] || `[]`}}"operator: AnyNotInvalue: "{{ request.namespace }}"- name: namespaced-exceptions-onlymatch:any:- resources:kinds:- PolicyExceptionvalidate:message: An exception can only be created for a Namespaced resource, and a Namespace is required.foreach:- list: request.object.spec.match.[any, all][]deny:conditions:any:- key: "{{ element.resources.namespaces[] || `[]` | length(@) }}"operator: Equalsvalue: 0- name: policy-namespace-match-polex-namespacematch:any:- resources:kinds:- PolicyExceptionvalidate:message: An exception may not be provided for a Namespaced Policy in another Namespace.foreach:- list: request.object.spec.exceptions[]preconditions:any:- key: "{{element.policyName}}"operator: Equalsvalue: "*/*"deny:conditions:any:- key: "{{ element.policyName}}"operator: NotEqualsvalue: "{{request.namespace}}/*"
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.