All Policies

Prevent Bare Pods

Pods not created by workload controllers such as Deployments have no self-healing or scaling abilities and are unsuitable for production. This policy prevents such "bare" Pods from being created unless they originate from a higher-level workload controller of some sort.

Policy Definition

/other/prevent-bare-pods/prevent-bare-pods.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: prevent-bare-pods
 5  annotations:
 6    policies.kyverno.io/title: Prevent Bare Pods
 7    pod-policies.kyverno.io/autogen-controllers: none
 8    policies.kyverno.io/category: Other, EKS Best Practices
 9    policies.kyverno.io/severity: medium
10    kyverno.io/kyverno-version: 1.7.0
11    policies.kyverno.io/minversion: 1.6.0
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/subject: Pod
14    policies.kyverno.io/description: >-
15      Pods not created by workload controllers such as Deployments
16      have no self-healing or scaling abilities and are unsuitable for production.
17      This policy prevents such "bare" Pods from being created unless they originate
18      from a higher-level workload controller of some sort.
19spec:
20  validationFailureAction: Audit
21  background: true
22  rules:
23  - name: bare-pods
24    match:
25      any:
26      - resources:
27          kinds:
28          - Pod
29    preconditions:
30      all:
31      - key: "{{request.operation || 'BACKGROUND'}}"
32        operator: NotEquals
33        value: DELETE
34    validate:
35      message: "Bare Pods are not allowed. They must be created by Pod controllers."
36      deny:
37        conditions:
38          any:
39          - key: ownerReferences
40            operator: AnyNotIn
41            value: "{{request.object.metadata.keys(@)}}"
Create policy issue