All Policies
Block Tekton TaskRun
Restrict creation of TaskRun resources to the Tekton pipelines controller.
Policy Definition
/tekton/block-tekton-task-runs/block-tekton-task-runs.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: block-tekton-task-runs
5 annotations:
6 policies.kyverno.io/title: Block Tekton TaskRun
7 policies.kyverno.io/category: Tekton
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: TaskRun
10 kyverno.io/kyverno-version: 1.7.1
11 policies.kyverno.io/minversion: 1.6.0
12 kyverno.io/kubernetes-version: "1.23"
13 policies.kyverno.io/description: >-
14 Restrict creation of TaskRun resources to the Tekton pipelines controller.
15spec:
16 validationFailureAction: Audit
17 background: false
18 rules:
19 - name: check-taskrun-user
20 match:
21 any:
22 - resources:
23 kinds:
24 - TaskRun
25 exclude:
26 any:
27 - subjects:
28 - kind: User
29 name: "system:serviceaccount:tekton-pipelines:tekton-pipelines-controller"
30 preconditions:
31 all:
32 - key: "{{ request.operation || 'BACKGROUND' }}"
33 operator: AnyIn
34 value:
35 - CREATE
36 - UPDATE
37 validate:
38 message: Creating a TaskRun is not allowed.
39 deny: {}