Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity
Files
b27b5ad789c595331ce914fe797cb3618aecfe6d
launchpad/cluster-resources/policies/deployment-verifier.yaml
Danijel Simeunovic b27b5ad789 check
2026-02-18 12:11:44 +01:00

45 lines
1.2 KiB
YAML
Raw Blame History

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-deployment-owner
spec:
validationFailureAction: Audit
background: false
rules:
- name: check-pod-owner-is-replicaset-from-deployment
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- kube-system
- kyverno
- cert-manager
- monitoring
- argocd
context:
- name: ownerReplicaSet
apiCall:
urlPath: "/apis/apps/v1/namespaces/{{request.namespace}}/replicasets/{{request.object.metadata.ownerReferences[0].name}}"
jmesPath: "@"
preconditions:
all:
- key: "{{request.object.metadata.ownerReferences | length(@)}}"
operator: GreaterThanOrEquals
value: 1
- key: "{{request.object.metadata.ownerReferences[0].kind}}"
operator: Equals
value: ReplicaSet
validate:
message: "Pods must be created through a Deployment resource."
deny:
conditions:
any:
- key: "{{ownerReplicaSet.metadata.ownerReferences[0].kind}}"
operator: NotEquals
value: Deployment
Reference in New Issue View Git Blame Copy Permalink