Require Tekton Bundle

PipelineRun and TaskRun resources must be executed from a bundle

Policy Definition

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-tekton-bundle
  annotations:
    policies.kyverno.io/title: Require Tekton Bundle
    policies.kyverno.io/category: Tekton
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: TaskRun, PipelineRun
    kyverno.io/kyverno-version: 1.7.1
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/description: PipelineRun and TaskRun resources must be executed from a bundle
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: check-bundle-pipelinerun
      match:
        any:
          - resources:
              kinds:
                - PipelineRun
      validate:
        message: A bundle is required.
        pattern:
          spec:
            pipelineRef:
              bundle: "?*"
    - name: check-bundle-taskrun
      match:
        any:
          - resources:
              kinds:
                - TaskRun
      validate:
        message: A bundle is required.
        pattern:
          spec:
            taskRef:
              bundle: "?*"

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application

ValidateMedium

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Service

ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application