Block Velero Restore to Protected Namespace in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: block-velero-restore
 5  annotations:
 6    policies.kyverno.io/title: Block Velero Restore to Protected Namespace in CEL expressions
 7    policies.kyverno.io/category: Velero in CEL 
 8    policies.kyverno.io/subject: Restore
 9    kyverno.io/kyverno-version: 1.11.0
10    kyverno.io/kubernetes-version: "1.26-1.27"
11    policies.kyverno.io/description: >-
12      Velero allows on backup and restore operations and is designed to be run with full cluster admin permissions.
13      It allows on cross namespace restore operations, which means you can restore backup of namespace A to namespace B.
14      This policy protect restore operation into system or any protected namespaces, listed in deny condition section. 
15      It checks the Restore CRD object and its namespaceMapping field. If destination match protected namespace
16      then operation fails and warning message is throw.
17spec:
18  validationFailureAction: Audit
19  background: false
20  rules:
21  - name: block-velero-restore-to-protected-namespace
22    match:
23      any:
24      - resources:
25          kinds:
26          - velero.io/v1/Restore
27          operations:
28          - CREATE
29          - UPDATE
30    validate:
31      cel:
32        variables:
33          - name: namespaceMappingValues
34            expression: "has(object.spec.namespaceMapping) ? object.spec.namespaceMapping.map(nsmap, object.spec.namespaceMapping[nsmap]) : []"
35        expressions:
36          - expression: "!variables.namespaceMappingValues.exists(val, val in ['kube-system', 'kube-node-lease'])"
37            messageExpression: "'Warning! Restore to protected namespace: ' + variables.namespaceMappingValues.join(', ') + ' is not allowed!'"