From f152e2d85a74f59b5cae708350777fd54b9bc4d1 Mon Sep 17 00:00:00 2001
From: Steven Smiley <53946040+StevenSmiley@users.noreply.github.com>
Date: Wed, 31 Jul 2024 05:45:59 -0700
Subject: [PATCH] Add policies to enforce or add Istio ambient mode (#1084)

* feat: add policy to enforce Istio ambient mode

Signed-off-by: Steven Smiley <smiley@scalesec.com>

* feat: add policy to add Istio ambient mode

Signed-off-by: Steven Smiley <smiley@scalesec.com>

---------

Signed-off-by: Steven Smiley <smiley@scalesec.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
---
 .../chainsaw-step-02-apply-1.yaml             |  6 +++
 .../chainsaw-step-02-apply-2.yaml             |  6 +++
 .../chainsaw-step-02-apply-3.yaml             |  4 ++
 .../chainsaw-step-02-apply-4.yaml             |  6 +++
 .../.chainsaw-test/chainsaw-test.yaml         | 34 +++++++++++++++
 .../.chainsaw-test/patched-ns-alt.yaml        |  7 ++++
 .../.chainsaw-test/patched-ns-disabled.yaml   |  6 +++
 .../.chainsaw-test/patched-ns-enabled.yaml    |  6 +++
 .../.chainsaw-test/patched-ns-none.yaml       |  6 +++
 .../.chainsaw-test/policy-ready.yaml          |  6 +++
 .../.kyverno-test/kyverno-test.yaml           | 21 ++++++++++
 .../add-ambient-mode-namespace.yaml           | 30 ++++++++++++++
 .../artifacthub-pkg.yml                       | 22 ++++++++++
 .../chainsaw-step-01-assert-1.yaml            |  6 +++
 .../.chainsaw-test/chainsaw-test.yaml         | 41 +++++++++++++++++++
 .../.chainsaw-test/ns-bad-disabled.yaml       |  6 +++
 .../.chainsaw-test/ns-bad-nolabel.yaml        |  4 ++
 .../.chainsaw-test/ns-bad-somelabel.yaml      |  6 +++
 .../.chainsaw-test/ns-good.yaml               | 15 +++++++
 .../.kyverno-test/kyverno-test.yaml           | 28 +++++++++++++
 .../artifacthub-pkg.yml                       | 22 ++++++++++
 .../enforce-ambient-mode-namespace.yaml       | 32 +++++++++++++++
 22 files changed, 320 insertions(+)
 create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml
 create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml
 create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml
 create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml
 create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml
 create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml
 create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml
 create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml
 create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml
 create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml
 create mode 100644 istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml
 create mode 100644 istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml
 create mode 100644 istio/add-ambient-mode-namespace/artifacthub-pkg.yml
 create mode 100644 istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml
 create mode 100644 istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml
 create mode 100644 istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml
 create mode 100644 istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml
 create mode 100644 istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml
 create mode 100644 istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-good.yaml
 create mode 100644 istio/enforce-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml
 create mode 100644 istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml
 create mode 100644 istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml

diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml
new file mode 100644
index 000000000..71651310f
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: istio-test-en-ns
diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml
new file mode 100644
index 000000000..32cbd8936
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: other
+  name: istio-test-dis-ns
diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml
new file mode 100644
index 000000000..6b17ee831
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-test-none-ns
diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml
new file mode 100644
index 000000000..7b14de9b6
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: bar
+  name: istio-test-alt-ns
diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml
new file mode 100644
index 000000000..51c8ca8fb
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,34 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: add-ambient-mode-namespace
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../add-ambient-mode-namespace.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: chainsaw-step-02-apply-1.yaml
+    - apply:
+        file: chainsaw-step-02-apply-2.yaml
+    - apply:
+        file: chainsaw-step-02-apply-3.yaml
+    - apply:
+        file: chainsaw-step-02-apply-4.yaml
+  - name: step-03
+    try:
+    - assert:
+        file: patched-ns-alt.yaml
+    - assert:
+        file: patched-ns-disabled.yaml
+    - assert:
+        file: patched-ns-enabled.yaml
+    - assert:
+        file: patched-ns-none.yaml
diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml
new file mode 100644
index 000000000..7ad1fb2fe
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: bar
+    istio.io/dataplane-mode: ambient
+  name: istio-test-alt-ns
\ No newline at end of file
diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml
new file mode 100644
index 000000000..95de97e29
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: istio-test-dis-ns
\ No newline at end of file
diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml
new file mode 100644
index 000000000..ee122e92b
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: istio-test-en-ns
\ No newline at end of file
diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml
new file mode 100644
index 000000000..c13793cf5
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: istio-test-none-ns
\ No newline at end of file
diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml
new file mode 100644
index 000000000..12870b244
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-ambient-mode-namespace
+status:
+  ready: true
\ No newline at end of file
diff --git a/istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml b/istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml
new file mode 100644
index 000000000..1b1fa13e0
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml
@@ -0,0 +1,21 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-ambient-mode-namespace
+policies:
+- ../add-ambient-mode-namespace.yaml
+resources:
+- ../.chainsaw-test/patched-ns-disabled.yaml
+- ../.chainsaw-test/patched-ns-enabled.yaml
+- ../.chainsaw-test/patched-ns-alt.yaml
+- ../.chainsaw-test/patched-ns-none.yaml
+results:
+- policy: add-ambient-mode-namespace
+  rule: check-ambient-mode-enabled
+  kind: Namespace
+  resources:
+  - istio-test-none-ns
+  - istio-test-dis-ns
+  - istio-test-en-ns
+  - istio-test-alt-ns
+  result: pass
diff --git a/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml b/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml
new file mode 100644
index 000000000..df5fd0992
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml
@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-ambient-mode-namespace
+  annotations:
+    policies.kyverno.io/title: Add Istio Ambient Mode
+    policies.kyverno.io/category: Istio
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.8.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.24"
+    policies.kyverno.io/subject: Namespace
+    policies.kyverno.io/description: >-
+      In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` 
+      must be set to `ambient`. As an alternative to rejecting Namespace definitions which don't already 
+      contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode`
+      set to `ambient` for all new Namespaces.
+spec:
+  rules:
+  - name: add-ambient-mode-enabled
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          labels:
+            istio.io/dataplane-mode: ambient
diff --git a/istio/add-ambient-mode-namespace/artifacthub-pkg.yml b/istio/add-ambient-mode-namespace/artifacthub-pkg.yml
new file mode 100644
index 000000000..7d3226555
--- /dev/null
+++ b/istio/add-ambient-mode-namespace/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+name: add-ambient-mode-namespace
+version: 1.0.0
+displayName: Add Istio Ambient Mode
+createdAt: "2024-07-25T20:07:52.000Z"
+description: >-
+  In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. As an alternative to rejecting Namespace definitions which don't already contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode` set to `ambient` for all new Namespaces.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml
+  ```
+keywords:
+  - kyverno
+  - Istio
+readme: |
+  In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. As an alternative to rejecting Namespace definitions which don't already contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode` set to `ambient` for all new Namespaces.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Istio"
+  kyverno/kubernetesVersion: "1.24"
+  kyverno/subject: "Namespace"
+digest: f81b9ba15c410e62589f0bf79b22a694b41a2294557c91d3c87683772922a8c0
diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml
new file mode 100644
index 000000000..5e9e5da0c
--- /dev/null
+++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-ambient-mode-namespace
+status:
+  ready: true
diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml
new file mode 100644
index 000000000..ba6b3d82f
--- /dev/null
+++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,41 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: enforce-ambient-mode-namespace
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../enforce-ambient-mode-namespace.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: enforce-ambient-mode-namespace
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ns-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad-disabled.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad-nolabel.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad-somelabel.yaml
diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml
new file mode 100644
index 000000000..0915ecd8e
--- /dev/null
+++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: other
+  name: bad-istio-amb01
\ No newline at end of file
diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml
new file mode 100644
index 000000000..50c60d84f
--- /dev/null
+++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bad-istio-amb03
\ No newline at end of file
diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml
new file mode 100644
index 000000000..d18925001
--- /dev/null
+++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: enabled
+  name: bad-istio-amb02
\ No newline at end of file
diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-good.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-good.yaml
new file mode 100644
index 000000000..7520123b5
--- /dev/null
+++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-good.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: good-istio-amb01
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: disabled
+    istio.io/dataplane-mode: ambient
+    bar: enabled
+  name: good-istio-amb02
\ No newline at end of file
diff --git a/istio/enforce-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml b/istio/enforce-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml
new file mode 100644
index 000000000..e2e458be1
--- /dev/null
+++ b/istio/enforce-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml
@@ -0,0 +1,28 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: enforce-ambient-mode-namespace
+policies:
+- ../enforce-ambient-mode-namespace.yaml
+resources:
+- ../.chainsaw-test/ns-bad-disabled.yaml
+- ../.chainsaw-test/ns-bad-nolabel.yaml
+- ../.chainsaw-test/ns-bad-somelabel.yaml
+- ../.chainsaw-test/ns-good.yaml
+results:
+- policy: enforce-ambient-mode-namespace
+  rule: check-ambient-mode-enabled
+  kind: Namespace
+  resources:
+  - bad-istio-amb01
+  - bad-istio-amb02
+  - bad-istio-amb03
+  result: fail
+- policy: enforce-ambient-mode-namespace
+  rule: check-ambient-mode-enabled
+  kind: Namespace
+  resources:
+  - good-istio-amb01
+  - good-istio-amb02
+  result: pass
+
diff --git a/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml b/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml
new file mode 100644
index 000000000..a01e95c16
--- /dev/null
+++ b/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+name: enforce-ambient-mode-namespace
+version: 1.0.0
+displayName: Enforce Istio Ambient Mode
+createdAt: "2024-07-25T20:07:52.000Z"
+description: >-
+  In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces set `istio.io/dataplane-mode` to `ambient`.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml
+  ```
+keywords:
+  - kyverno
+  - Istio
+readme: |
+  In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces set `istio.io/dataplane-mode` to `ambient`.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Istio"
+  kyverno/kubernetesVersion: "1.24"
+  kyverno/subject: "Namespace"
+digest: 1d0f6644ba09afd6fe0dcb431b434c509b995580a5fef2f795df2fc979c6a931
diff --git a/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml b/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml
new file mode 100644
index 000000000..0428f52c5
--- /dev/null
+++ b/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml
@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-ambient-mode-namespace
+  annotations:
+    policies.kyverno.io/title: Enforce Istio Ambient Mode
+    policies.kyverno.io/category: Istio
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.8.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.24"
+    policies.kyverno.io/subject: Namespace
+    policies.kyverno.io/description: >-
+      In order for Istio to include namespaces in ambient mode, the label
+      `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces
+      set `istio.io/dataplane-mode` to `ambient`.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+  - name: check-amblient-mode-enabled
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    validate:
+      message: "All new Namespaces must have Istio ambient mode enabled."
+      pattern:
+        metadata:
+          labels:
+            istio.io/dataplane-mode: ambient