-
Notifications
You must be signed in to change notification settings - Fork 0
/
05-kyverno-cluster-policy.yaml
51 lines (51 loc) · 1.62 KB
/
05-kyverno-cluster-policy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
---
# Prevent the following type of annotations
# k8s.ovn.org/routing-namespaces: ”blue,foo”
# k8s.ovn.org/bfd-enabled: ""
# k8s.ovn.org/routing-network: ext-gw-net
##
# Prerequisite: Install Kyverno
# oc create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/release/install.yaml
##
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-ext-gw-annotations
annotations:
policies.kyverno.io/title: Restrict External GW Annotations
policies.kyverno.io/category: OVN Security
policies.kyverno.io/severity: high
policies.kyverno.io/subject: Pod, Annotation
policies.kyverno.io/description: >-
Restrict Multiple External Gateway annotations in Pods outside the
preauthorized list of namespaces. This policy prevent rogue Pods from hijacking
traffic in a cluster with the Multiple External Gateway functionality enabled.
pod-policies.kyverno.io/autogen-controllers: None
spec:
validationFailureAction: enforce
background: true
rules:
- name: block-ext-gw-annotations
match:
resources:
kinds:
- Deployment
- CronJob
- Job
- StatefulSet
- DaemonSet
- Pod
- Namespace
exclude:
resources:
# namespaces which can run an external gateway Pods
namespaces:
- frr
validate:
message: Cannot use Multiple External GW annotation in this Namespace.
pattern:
metadata:
=(annotations):
X(k8s.ovn.org/routing-namespaces): "*?"
X(k8s.ovn.org/bfd-enabled): "*?"
X(k8s.ovn.org/routing-network): "*?"