Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

rule

Browse Source
This commit is contained in:
Danijel Simeunovic
2026-02-18 13:13:52 +01:00
parent e06a080eb5
commit a962fd6450
1 changed files with 26 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
cluster-resources/policies/deployment-verifier.yaml
View File

@@ -3,7 +3,7 @@ kind: ClusterPolicy
metadata: metadata:
name: require-deployment-owner name: require-deployment-owner
spec: spec:
validationFailureAction: Enforce validationFailureAction: Audit
background: false background: false
rules: rules:
- name: check-pod-owner-is-replicaset-from-deployment - name: check-pod-owner-is-replicaset-from-deployment
@@ -41,3 +41,28 @@ spec:
- key: "{{ownerReplicaSet.metadata.ownerReferences[0].kind}}" - key: "{{ownerReplicaSet.metadata.ownerReferences[0].kind}}"
operator: NotEquals operator: NotEquals
value: Deployment value: Deployment
- name: deny-pods-without-replicaset-owner
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- kube-system
- kyverno
- cert-manager
- monitoring
- argocd
- traefik-system
skipBackgroundRequests: true
validate:
message: "Direct pod creation is not allowed. Pods must come from a Deployment managed by ArgoCD."
deny:
conditions:
all:
- key: "{{ request.object.metadata.ownerReferences || `[]` | [?kind=='ReplicaSet'] | length(@) }}"
operator: LessThan
value: 1