Scheduling non-system Pods to control plane nodes (which run kubelet) is often undesirable because it takes away resources from the control plane components and can represent a possible security threat vector. This policy prevents users from setting a toleration in a Pod spec which allows running on control plane nodes with the taint key `node-role.kubernetes.io/master`.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: restrict-controlplane-schedulingannotations:policies.kyverno.io/title: Restrict control plane schedulingpolicies.kyverno.io/category: Samplepolicies.kyverno.io/subject: Podpolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/description: Scheduling non-system Pods to control plane nodes (which run kubelet) is often undesirable because it takes away resources from the control plane components and can represent a possible security threat vector. This policy prevents users from setting a toleration in a Pod spec which allows running on control plane nodes with the taint key `node-role.kubernetes.io/master`.spec:validationFailureAction: Auditbackground: truerules:- name: restrict-controlplane-scheduling-mastermatch:any:- resources:kinds:- Podvalidate:message: Pods may not use tolerations which schedule on control plane nodes.pattern:spec:"=(tolerations)":- key: "!node-role.kubernetes.io/master"- name: restrict-controlplane-scheduling-control-planematch:any:- resources:kinds:- Podvalidate:message: Pods may not use tolerations which schedule on control plane nodes.pattern:spec:"=(tolerations)":- key: "!node-role.kubernetes.io/control-plane"
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.