diff --git a/cluster-resources/policies/deployment-verifier.yaml b/cluster-resources/policies/deployment-verifier.yaml deleted file mode 100644 index 9770218..0000000 --- a/cluster-resources/policies/deployment-verifier.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-deployment-owner -spec: - validationFailureAction: Audit - background: false - rules: - - name: check-pod-owner-is-replicaset-from-deployment - skipBackgroundRequests: true - match: - any: - - resources: - kinds: - - Pod - exclude: - any: - - resources: - namespaces: - - kube-system - - kyverno - - cert-manager - - monitoring - - argocd - - traefik-system - - trivy-system - context: - - name: ownerReplicaSet - apiCall: - method: GET - urlPath: "/apis/apps/v1/namespaces/{{request.namespace}}/replicasets/{{request.object.metadata.ownerReferences[0].name}}" - jmesPath: "@" - preconditions: - all: - - key: "{{ request.object.metadata.ownerReferences || `[]` | [?kind=='ReplicaSet'] | length(@) }}" - operator: GreaterThanOrEquals - value: 1 - validate: - allowExistingViolations: true - message: "Pods must be created through a Deployment resource." - deny: - conditions: - any: - - key: "{{ownerReplicaSet.metadata.ownerReferences[0].kind}}" - operator: NotEquals - value: Deployment - - name: deny-pods-without-replicaset-owner - match: - any: - - resources: - kinds: - - Pod - exclude: - any: - - resources: - namespaces: - - kube-system - - kyverno - - cert-manager - - monitoring - - argocd - - traefik-system - - trivy-system - skipBackgroundRequests: true - validate: - allowExistingViolations: true - message: "Direct pod creation is not allowed. Pods must come from a Deployment managed by ArgoCD." - deny: - conditions: - all: - - key: "{{ request.object.metadata.ownerReferences || `[]` | [?kind=='ReplicaSet'] | length(@) }}" - operator: LessThan - value: 1