Some annotations control functionality driven by other cluster-wide tools and are not normally set by some class of users. This policy prevents the use of an annotation beginning with `fluxcd.io/`. This can be useful to ensure users either don't set reserved annotations or to force them to use a newer version of an annotation.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: restrict-annotationsannotations:policies.kyverno.io/title: Restrict Annotationspolicies.kyverno.io/category: Samplepolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/subject: Pod, Annotationpolicies.kyverno.io/description: Some annotations control functionality driven by other cluster-wide tools and are not normally set by some class of users. This policy prevents the use of an annotation beginning with `fluxcd.io/`. This can be useful to ensure users either don't set reserved annotations or to force them to use a newer version of an annotation.pod-policies.kyverno.io/autogen-controllers: nonespec:validationFailureAction: Auditbackground: truerules:- name: block-flux-v1match:any:- resources:kinds:- Deployment- CronJob- Job- StatefulSet- DaemonSet- Podvalidate:message: Cannot use Flux v1 annotation.pattern:metadata:"=(annotations)":X(fluxcd.io/*): "*?"
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.