Add PSA Namespace Reporting in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-psa-namespace-reporting
 5  annotations:
 6    policies.kyverno.io/title: Add PSA Namespace Reporting in CEL expressions
 7    policies.kyverno.io/category: Pod Security Admission, EKS Best Practices in CEL 
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.0
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/subject: Namespace
13    policies.kyverno.io/description: >-
14      This policy is valuable as it ensures that all namespaces within a Kubernetes 
15      cluster are labeled with Pod Security Admission (PSA) labels, which are crucial
16      for defining security levels and ensuring that pods within a namespace operate 
17      under the defined Pod Security Standard (PSS). By enforcing namespace labeling,
18      This policy audits namespaces to verify the presence of PSA labels. 
19      If a namespace is found without the required labels, it generates and maintain 
20      and ClusterPolicy Report in default namespace. 
21      This helps administrators identify namespaces that do not comply with the 
22      organization's security practices and take appropriate action to rectify the 
23      situation.
24spec:
25  validationFailureAction: Audit
26  background: true
27  rules:
28  - name: check-namespace-labels
29    match:
30      any:
31      - resources:
32          kinds:
33            - Namespace
34          operations:
35          - CREATE
36          - UPDATE
37    validate:
38      cel:
39        expressions:
40          - expression: "object.metadata.?labels.orValue([]).exists(label, label.startsWith('pod-security.kubernetes.io/') && object.metadata.labels[label] != '')"
41            message: This Namespace is missing a PSA label.