All Policies
Block Velero Restore to Protected Namespace
Velero allows on backup and restore operations and is designed to be run with full cluster admin permissions. It allows on cross namespace restore operations, which means you can restore backup of namespace A to namespace B. This policy protect restore operation into system or any protected namespaces, listed in deny condition section. It checks the Restore CRD object and its namespaceMapping field. If destination match protected namespace then operation fails and warning message is throw.
Policy Definition
/velero/block-velero-restore/block-velero-restore.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: block-velero-restore
5 annotations:
6 policies.kyverno.io/title: Block Velero Restore to Protected Namespace
7 policies.kyverno.io/category: Velero
8 policies.kyverno.io/subject: Restore
9 policies.kyverno.io/description: >-
10 Velero allows on backup and restore operations and is designed to be run with full cluster admin permissions.
11 It allows on cross namespace restore operations, which means you can restore backup of namespace A to namespace B.
12 This policy protect restore operation into system or any protected namespaces, listed in deny condition section.
13 It checks the Restore CRD object and its namespaceMapping field. If destination match protected namespace
14 then operation fails and warning message is throw.
15spec:
16 validationFailureAction: Audit
17 background: false
18 rules:
19 - name: block-velero-restore-to-protected-namespace
20 match:
21 any:
22 - resources:
23 kinds:
24 - velero.io/v1/Restore
25 validate:
26 message: "Warning! Restore to protected namespace: {{request.object.spec.namespaceMapping | values(@)}} is not allowed!"
27 deny:
28 conditions:
29 any:
30 - key: "{{request.object.spec.namespaceMapping || `{}` | values(@)}}"
31 operator: AnyIn
32 value:
33 - kube-system
34 - kube-node-lease