All Policies

Record Creation Details

Kubernetes by default does not make a record of who or what created a resource in that resource itself. It must be retrieved from an audit log, if enabled, which can make it difficult for cluster operators to know who was responsible for an object's creation. This policy writes an annotation with the key `kyverno.io/created-by` having all the userInfo fields present in the AdmissionReview request for any object being created. It then protects this annotation from tampering or removal making it immutable. Although this policy matches on all kinds ("*") it is highly recommend to more narrowly scope it to only the resources which should be labeled.

Policy Definition

/other/record-creation-details/record-creation-details.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: record-creation-details
 5  annotations:
 6    policies.kyverno.io/title: Record Creation Details
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.2
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Annotation
13    policies.kyverno.io/description: >-
14      Kubernetes by default does not make a record of who or what
15      created a resource in that resource itself. It must be retrieved from
16      an audit log, if enabled, which can make it difficult for cluster
17      operators to know who was responsible for an object's creation.
18      This policy writes an annotation with the key `kyverno.io/created-by`
19      having all the userInfo fields present in the AdmissionReview request
20      for any object being created. It then protects this annotation from
21      tampering or removal making it immutable. Although this policy matches on
22      all kinds ("*") it is highly recommend to more narrowly scope it to only
23      the resources which should be labeled.      
24spec:
25  validationFailureAction: enforce
26  background: false
27  rules:
28  - name: add-userinfo
29    match:
30      any:
31      - resources:
32          kinds:
33          - '*'
34    preconditions:
35      any:
36      - key: "{{request.operation || 'BACKGROUND'}}"
37        operator: Equals
38        value: CREATE
39    mutate:
40      patchStrategicMerge:
41        metadata:
42          annotations:
43            kyverno.io/created-by: "{{ request.userInfo | to_string(@) }}"
44  - name: prevent-updates-deletes-userinfo-annotations
45    match:
46      any:
47      - resources:
48          kinds:
49          - '*'
50    preconditions:
51      any:
52      - key: "{{request.operation || 'BACKGROUND'}}"
53        operator: Equals
54        value: UPDATE
55      - key: "{{ request.oldObject.metadata.annotations.\"kyverno.io/created-by\" || '' }}"
56        operator: Equals
57        value: "?*"
58    validate:
59      message: The annotation kyverno.io/created-by is protected and may not be altered or removed.
60      deny:
61        conditions:
62          any:
63          - key: "{{ request.object.metadata.annotations.\"kyverno.io/created-by\" || '' }}"
64            operator: Equals
65            value: ""
66          - key: "{{ request.object.metadata.annotations.\"kyverno.io/created-by\" || '' }}"
67            operator: NotEquals
68            value: "{{ request.oldObject.metadata.annotations.\"kyverno.io/created-by\" }}"
Create policy issue