This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: add-psa-namespace-reportingannotations:policies.kyverno.io/title: Add PSA Namespace Reporting in CEL expressionspolicies.kyverno.io/category: Pod Security Admission, EKS Best Practices in CELpolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.11.0policies.kyverno.io/minversion: 1.11.0kyverno.io/kubernetes-version: 1.26-1.27policies.kyverno.io/subject: Namespacepolicies.kyverno.io/description: This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation.spec:validationFailureAction: Auditbackground: truerules:- name: check-namespace-labelsmatch:any:- resources:kinds:- Namespaceoperations:- CREATE- UPDATEvalidate:cel:expressions:- expression: object.metadata.?labels.orValue([]).exists(label, label.startsWith('pod-security.kubernetes.io/') && object.metadata.labels[label] != '')message: This Namespace is missing a PSA label.
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.