Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

kyverno policy remove

Browse Source
This commit is contained in:
snothub
2026-04-08 12:12:09 +02:00
parent 118cae656a
commit 463a96054d
1 changed files with 0 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
cluster-resources/policies/deployment-verifier.yaml
View File

@@ -1,73 +0,0 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-deployment-owner
spec:
validationFailureAction: Audit
background: false
rules:
- name: check-pod-owner-is-replicaset-from-deployment
skipBackgroundRequests: true
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- kube-system
- kyverno
- cert-manager
- monitoring
- argocd
- traefik-system
- trivy-system
context:
- name: ownerReplicaSet
apiCall:
method: GET
urlPath: "/apis/apps/v1/namespaces/{{request.namespace}}/replicasets/{{request.object.metadata.ownerReferences[0].name}}"
jmesPath: "@"
preconditions:
all:
- key: "{{ request.object.metadata.ownerReferences || `[]` | [?kind=='ReplicaSet'] | length(@) }}"
operator: GreaterThanOrEquals
value: 1
validate:
allowExistingViolations: true
message: "Pods must be created through a Deployment resource."
deny:
conditions:
any:
- key: "{{ownerReplicaSet.metadata.ownerReferences[0].kind}}"
operator: NotEquals
value: Deployment
- name: deny-pods-without-replicaset-owner
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- kube-system
- kyverno
- cert-manager
- monitoring
- argocd
- traefik-system
- trivy-system
skipBackgroundRequests: true
validate:
allowExistingViolations: true
message: "Direct pod creation is not allowed. Pods must come from a Deployment managed by ArgoCD."
deny:
conditions:
all:
- key: "{{ request.object.metadata.ownerReferences || `[]` | [?kind=='ReplicaSet'] | length(@) }}"
operator: LessThan
value: 1