Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enhancement: use optionals in CEL policies to remove redundant expressions #1112

Merged
merged 3 commits into from
Aug 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,6 @@ spec:
validate:
cel:
expressions:
- expression: "has(object.spec.project) && object.spec.project != 'default'"
- expression: "object.spec.?project.orValue('') != 'default'"
message: "The default project may not be used in an Application."

Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ annotations:
kyverno/category: "Argo in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Application"
digest: aeb2bc00375b7c44bb36ca7a3cd2f5f80ed17548abf98529d4617803be71196d
digest: 30a66468036d5a7d5f63e5581d7a4dbb33f6d93ecdfca566f9a465b11d441acb
createdAt: "2024-04-30T16:03:57Z"

Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,6 @@ annotations:
kyverno/category: "AWS, EKS Best Practices in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Service"
digest: 0a2c4fcb1a4aa5900aef0abba83625024def643c47ccfe1c6e0d1314c484f6f5
digest: e2320be39a69521f5420e33890a87b1195a3658022e1e23909387e9dc0937c2e
createdAt: "2024-05-11T16:01:13Z"

Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@ spec:
cel:
expressions:
- expression: >-
has(object.metadata.annotations) &&
'service.beta.kubernetes.io/aws-load-balancer-ssl-cert' in object.metadata.annotations && object.metadata.annotations['service.beta.kubernetes.io/aws-load-balancer-ssl-cert'] != ''
object.metadata.?annotations[?'service.beta.kubernetes.io/aws-load-balancer-ssl-cert'].orValue('') != ''
message: "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert."

Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ annotations:
kyverno/category: "Best Practices in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Ingress"
digest: 0ffe2735a10b721569cf7139d0d7d51dbc9327beae68e50e4f54f560804548e9
digest: e07447adca26bd41cf44f7cced9f50fef4d6293d142a5092d0a95f4473747043
createdAt: "2024-03-09T14:19:51Z"

Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ spec:
cel:
expressions:
- expression: >-
!has(object.spec.rules) ||
object.spec.rules.all(rule, has(rule.host) && has(rule.http))
object.spec.?rules.orValue([]).all(rule, has(rule.host) && has(rule.http))
message: "The Ingress host name must be defined, not empty."

2 changes: 1 addition & 1 deletion best-practices-cel/require-drop-all/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ annotations:
kyverno/category: "Best Practices in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: c3d8959bdc68460e21ff5495994d0bb1a3aa7cb7a5b31740af33638b2dad466c
digest: e30e0e6e98ad92017d641eddc650335cb688873b2c14c666fda925f3e809ae40
createdAt: "2024-03-10T05:05:42Z"

7 changes: 2 additions & 5 deletions best-practices-cel/require-drop-all/require-drop-all.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,10 @@ spec:
cel:
variables:
- name: allContainers
expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
expressions:
- expression: >-
variables.allContainers.all(container,
has(container.securityContext) &&
has(container.securityContext.capabilities) &&
has(container.securityContext.capabilities.drop) &&
container.securityContext.capabilities.drop.exists(capability, capability.upperAscii() == 'ALL'))
container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() == 'ALL'))
message: "Containers must drop `ALL` capabilities."

Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ annotations:
kyverno/category: "Best Practices in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: ef4e56b25b29423934e0e21cdea2d6c4e0ae3e67d84a1456f52b3d66fe9fa25a
digest: 28cac97e2c441528f12158cc0c6d3c8c07067537831a88d5445a2128b42746b4
createdAt: "2024-03-15T03:05:47Z"

Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,11 @@ spec:
cel:
variables:
- name: allContainers
expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
expressions:
- expression: >-
variables.allContainers.all(container,
has(container.securityContext) &&
has(container.securityContext.capabilities) &&
has(container.securityContext.capabilities.drop) &&
container.securityContext.capabilities.drop.exists(capability, capability.upperAscii() == 'CAP_NET_RAW'))
container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() == 'CAP_NET_RAW'))
message: >-
Containers must drop the `CAP_NET_RAW` capability.

2 changes: 1 addition & 1 deletion best-practices-cel/require-labels/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ annotations:
kyverno/category: "Best Practices in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod, Label"
digest: cdcd97f2977e45e753975a75184c12d37e297a615f50322be925e64885ffa5e0
digest: 90e1ceb1c27f70169fcd448cb48df4c7694d8252e060da24c7b2e9bb16a4fc88
createdAt: "2024-03-06T19:31:45Z"

3 changes: 1 addition & 2 deletions best-practices-cel/require-labels/require-labels.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ spec:
cel:
expressions:
- expression: >-
has(object.metadata.labels) &&
'app.kubernetes.io/name' in object.metadata.labels && object.metadata.labels['app.kubernetes.io/name'] != ""
object.metadata.?labels[?'app.kubernetes.io/name'].orValue('') != ""
message: "The label `app.kubernetes.io/name` is required."

2 changes: 1 addition & 1 deletion best-practices-cel/require-ro-rootfs/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,6 @@ annotations:
kyverno/category: "Best Practices, EKS Best Practices in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: 08e28ef463ea200092f19e279fa3da071b276315f555b579786c564bbb8718c5
digest: fe244b770ce2bc266f6af712404255b2968f26448614498fdf2f103ae82a1343
createdAt: "2024-03-07T12:35:00Z"

3 changes: 1 addition & 2 deletions best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ spec:
expressions:
- expression: >-
object.spec.containers.all(container,
has(container.securityContext) &&
container.securityContext.readOnlyRootFilesystem == true)
container.?securityContext.?readOnlyRootFilesystem.orValue(false) == true)
message: "Root filesystem must be read-only."

Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,6 @@ annotations:
kyverno/category: "Best Practices, EKS Best Practices in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: cac6e95f5ac6f7d7235349ac935745672c2112a0a5400e8fb1f59c9750850ad0
digest: 8fbe80e4d4b26e2a2acc2160d52bf5b88c4f137567ea569e086439fc1fe1bd49
createdAt: "2024-03-07T13:35:11Z"

Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ spec:
cel:
variables:
- name: allContainers
expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
expressions:
- expression: "variables.allContainers.all(container, container.image.startsWith('eu.foo.io/') || container.image.startsWith('bar.io/'))"
message: "Unknown image registry."
Expand Down
2 changes: 1 addition & 1 deletion consul-cel/enforce-min-tls-version/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ annotations:
kyverno/category: "Consul in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Mesh"
digest: 076a14dd5d7a4b4b69d9b7c1c53deab6e8b2c0ce0ed570f3cf07b661fca92aef
digest: ef025b5a358ed684ffe008b5a251e743289f5e2f28e72e49df10c895b1539260
createdAt: "2024-05-02T17:47:54Z"

Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ spec:
cel:
expressions:
- expression: >-
has(object.spec) && has(object.spec.tls) && has(object.spec.tls.incoming) &&
has(object.spec.tls.incoming.tlsMinVersion) && object.spec.tls.incoming.tlsMinVersion == 'TLSv1_2'
object.?spec.?tls.?incoming.?tlsMinVersion.orValue('') == 'TLSv1_2'
message: The minimum version of TLS is TLS v1_2

2 changes: 1 addition & 1 deletion flux-cel/verify-flux-sources/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ annotations:
kyverno/category: "Flux in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "GitRepository, Bucket, HelmRepository, ImageRepository"
digest: bf6f3413334accaa083d0b203909b82f74b0131e862799124b940afd86e4372d
digest: 0199445c867ee1e79d766a18fcd11b14b5107e7c2c541645f6ceea8df4e34dac
createdAt: "2024-05-11T15:02:04Z"

4 changes: 2 additions & 2 deletions flux-cel/verify-flux-sources/verify-flux-sources.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ spec:
validate:
cel:
expressions:
- expression: "has(object.spec.endpoint) && object.spec.endpoint.endsWith('.myorg.com')"
- expression: "object.spec.?endpoint.orValue('').endsWith('.myorg.com')"
message: ".spec.endpoint must reference an address within the myorg organization."
- name: flux-helm-repositories
match:
Expand Down Expand Up @@ -94,6 +94,6 @@ spec:
validate:
cel:
expressions:
- expression: "has(object.spec.image) && object.spec.image.startsWith('ghcr.io/myorg/')"
- expression: "object.spec.?image.orValue('').startsWith('ghcr.io/myorg/')"
message: ".spec.image must be from an image repository within the myorg organization."

Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ annotations:
kyverno/category: "Istio in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Namespace"
digest: 123feb2a8d1b2743e33b1f91ddf7291c47eedcf2c24ae537a1d3afe6c503338d
digest: 9738fe6b1278148191239c380c074c197841a4926c7ffc1e23cd9a2b22f1175f
createdAt: "2024-05-12T04:38:32Z"

Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,6 @@ spec:
validate:
cel:
expressions:
- expression: "has(object.metadata.labels) && 'istio-injection' in object.metadata.labels && object.metadata.labels['istio-injection'] == 'enabled'"
- expression: "object.metadata.?labels[?'istio-injection'].orValue('') == 'enabled'"
message: "All new Namespaces must have Istio sidecar injection enabled."

Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ annotations:
kyverno/category: "Istio in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: 5de03c078273ce913a6ebf9064a85be4255b82e36f74bda822984e261363fe8b
digest: 97408c8377b12760f93ab481284a80e6ac7b78f3d04bc89bb44ab55e32054f5c
createdAt: "2024-05-12T04:48:58Z"

Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ spec:
cel:
expressions:
- expression: >-
!has(object.metadata.annotations) || !('sidecar.istio.io/inject' in object.metadata.annotations) ||
object.metadata.annotations['sidecar.istio.io/inject'] != 'false'
object.metadata.?annotations[?'sidecar.istio.io/inject'].orValue('') != 'false'
message: "Pods may not disable sidecar injection by setting the annotation sidecar.istio.io/inject to a value of false."

Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ annotations:
kyverno/category: "Kasten K10 by Veeam in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Deployment, StatefulSet"
digest: e3a088a52aac74e16f9b2776df78891344edd6dc03ee6456dc71d71c34519325
digest: 8717e4f433a73aa59f79c557f17b75d8d7b5ac22839b4993975bba9cf8fb551b
createdAt: "2024-05-12T07:05:48Z"

Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,6 @@ spec:
validate:
cel:
expressions:
- expression: "has(object.metadata.labels) && has(object.metadata.labels.dataprotection) && object.metadata.labels.dataprotection.startsWith('k10-')"
- expression: "object.metadata.?labels.?dataprotection.orValue('').startsWith('k10-')"
message: "Deployments and StatefulSets that specify 'dataprotection' label must have a valid k10-?* name (use labels: dataprotection: k10-<policyname>)"

Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ annotations:
kyverno/category: "Kasten K10 by Veeam in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Namespace"
digest: e58ab4c2018542a6acd5e97446b09cf04cec26425b9a29f0207c518310c449f3
digest: c277cd02118d9e63dc9e7b842ac27f261c1cd48a3d79a67660e8742d06af62f1
createdAt: "2024-05-12T07:09:08Z"

Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ spec:
validate:
cel:
expressions:
- expression: "has(object.metadata.labels) && has(object.metadata.labels.dataprotection) && object.metadata.labels.dataprotection in ['gold', 'silver', 'bronze', 'none']"
- expression: "object.metadata.?labels.?dataprotection.orValue('') in ['gold', 'silver', 'bronze', 'none']"
message: >-
Namespaces must specify a "dataprotection" label with a value corresponding to a Kasten K10 SLA:

Expand Down
2 changes: 1 addition & 1 deletion kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ annotations:
kyverno/category: "Kubecost in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod,Label"
digest: e7dc12ab8d4fa467c23bc117db5c9e33e5e0d804c597ee0d88fb9f55f11ab535
digest: 5b50102fc3a29abc915d2a81baee4335a505b3dc749057a310197b0442409a88
createdAt: "2024-05-12T06:59:59Z"

Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,10 @@ spec:
cel:
expressions:
- expression: >-
has(object.metadata.labels) &&
has(object.metadata.labels.owner) && object.metadata.labels.owner != '' &&
has(object.metadata.labels.team) && object.metadata.labels.team != '' &&
has(object.metadata.labels.department) && object.metadata.labels.department != '' &&
has(object.metadata.labels.app) && object.metadata.labels.app != '' &&
has(object.metadata.labels.env) && object.metadata.labels.env != ''
object.metadata.?labels.?owner.orValue('') != '' &&
object.metadata.?labels.?team.orValue('') != '' &&
object.metadata.?labels.?department.orValue('') != '' &&
object.metadata.?labels.?app.orValue('') != '' &&
object.metadata.?labels.?env.orValue('') != ''
message: "The Kubecost labels `owner`, `team`, `department`, `app`, and `env` are all required for Pods."

Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ annotations:
kyverno/category: "Linkerd in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: 795a7d5ae06f9720bdbcc00ced965d1f7a28540c965628a47abc5621fb8d0033
digest: 5b12ec5eb44fb90ffd0656f835ecb3ed7a119e6304230929eea4cbd5d222d4a1
createdAt: "2024-05-21T15:39:18Z"
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,6 @@ spec:
validate:
cel:
expressions:
- expression: "!has(object.metadata.annotations) || !('linkerd.io/inject' in object.metadata.annotations) || object.metadata.annotations['linkerd.io/inject'] != 'disabled'"
- expression: "object.metadata.?annotations[?'linkerd.io/inject'].orValue('') != 'disabled'"
message: "Pods may not disable sidecar injection."

Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ annotations:
kyverno/category: "Linkerd in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Namespace, Annotation"
digest: 54785b725fde31418dffca17c8b9eb619c64db8351743d370b5f628e5235fd93
digest: 35eeae221b613fe7c3ddff2006d6f38e43c2ec6300ec89e7c44ac53ed93e0b62
createdAt: "2024-05-21T16:06:15Z"
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,6 @@ spec:
validate:
cel:
expressions:
- expression: "has(object.metadata.annotations) && 'linkerd.io/inject' in object.metadata.annotations && object.metadata.annotations['linkerd.io/inject'] == 'enabled'"
- expression: "object.metadata.?annotations[?'linkerd.io/inject'].orValue('') == 'enabled'"
message: "All Namespaces must set the annotation `linkerd.io/inject` to `enabled`."

Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,5 @@ annotations:
kyverno/category: "Security, NGINX Ingress in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "ConfigMap, Ingress"
digest: aaf1d6d140eb40ced231f9b1c1e58c76eb89c1974def85df5f0152b72b8d398b
digest: 461b5ea917b380efcf272d0ac6ab2d8f4ceaa6d8c3b0b71efad5a7b23d10ae99
createdAt: "2024-05-21T16:14:12Z"
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ spec:
validate:
cel:
expressions:
- expression: "!has(object.data) || !('allow-snippet-annotations' in object.data) || object.data['allow-snippet-annotations'] == 'false'"
- expression: "object.?data[?'allow-snippet-annotations'].orValue('false') == 'false'"
message: "ingress-nginx allow-snippet-annotations must be set to false"
- name: check-ingress-annotations
match:
Expand All @@ -44,6 +44,6 @@ spec:
validate:
cel:
expressions:
- expression: "!has(object.metadata.annotations) || !object.metadata.annotations.exists(annotation, annotation.endsWith('-snippet'))"
- expression: "!object.metadata.?annotations.orValue([]).exists(annotation, annotation.endsWith('-snippet'))"
message: "ingress-nginx custom snippets are not allowed"

Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,5 @@ annotations:
kyverno/category: "Security, NGINX Ingress in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Ingress"
digest: 1c95fe0afc73a2e5e30376d7594d98b4e58cfd21378e3ea10035742eb960220f
digest: 27e33a96f483688a088cd64017dd8c69ab2677e53f7a66b95a804c897f104755
createdAt: "2024-05-22T07:13:08Z"
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,8 @@ spec:
cel:
expressions:
- expression: >-
!has(object.spec.rules) ||
object.spec.rules.all(rule, !has(rule.http) || !has(rule.http.paths) ||
rule.http.paths.all(p,
object.spec.?rules.orValue([]).all(rule,
rule.?http.?paths.orValue([]).all(p,
!p.path.contains('/etc') && !p.path.contains('/var/run/secrets') &&
!p.path.contains('/root') && !p.path.contains('/var/run/kubernetes/serviceaccount') &&
!p.path.contains('/etc/kubernetes/admin.conf')))
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ annotations:
kyverno/category: "Security in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Role,ClusterRole,RBAC"
digest: a12e5cbb7ee88722774bf06d5c086804b4e3151811088be926470b12b8920cf0
digest: 13d430a48c1a18ee97f2e86ad48f5e97f9a188ea3551c6884ff9ee8f1f81e2a6
createdAt: "2024-05-22T09:53:47Z"
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ spec:
validate:
cel:
expressions:
- expression: "!has(object.rules) || !object.rules.exists(rule, 'anyuid' in rule.resourceNames && ('use' in rule.verbs || '*' in rule.verbs))"
- expression: "!object.?rules.orValue([]).exists(rule, 'anyuid' in rule.resourceNames && ('use' in rule.verbs || '*' in rule.verbs))"
message: >-
Use of the SecurityContextConstraint (SCC) anyuid is not allowed
- name: check-security-context-roleref
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,12 @@ spec:
parameterNotFoundAction: Deny
variables:
- name: allContainers
expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
- name: nsregistries
expression: >-
(has(namespaceObject.metadata.annotations) && 'corp.com/allowed-registries' in namespaceObject.metadata.annotations) ?
namespaceObject.metadata.annotations['corp.com/allowed-registries'] : ' '
namespaceObject.metadata.?annotations[?'corp.com/allowed-registries'].orValue(' ')
- name: clusterregistries
expression: "'registries' in params.data ? params.data['registries'] : ' '"
expression: "params.data[?'registries'].orValue(' ')"
expressions:
- expression: "variables.allContainers.all(container, container.image.startsWith(variables.nsregistries) || container.image.startsWith(variables.clusterregistries))"
message: This Pod names an image that is not from an approved registry.
Expand Down
Loading
Loading