Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add miscellaneous policies in CEL expressions - Part 3 #1028

Merged
Merged
Changes from 1 commit
Commits
Show all changes
47 commits
Select commit Hold shift + click to select a range
720bc92
copy prevent-linkerd-pod-injection-override
Chandan-DK May 21, 2024
4f6ca0c
add kyverno tests for prevent-linkerd-pod-injection-override
Chandan-DK May 21, 2024
a74d10b
convert prevent-linkerd-pod-injection-override
Chandan-DK May 21, 2024
dcd4ac5
add metadata section to template
Chandan-DK May 21, 2024
6ac7add
add kyverno tests for prevent-linkerd-pod-injection-override in regul…
Chandan-DK May 21, 2024
51af207
copy prevent-linkerd-port-skipping
Chandan-DK May 21, 2024
66b483f
correct invalid chainsaw test resources to remove errors
Chandan-DK May 21, 2024
562b82d
add kyverno tests
Chandan-DK May 21, 2024
a14f7f8
convert prevent-linkerd-port-skipping
Chandan-DK May 21, 2024
d7003ed
copy require-linkerd-mesh-injection
Chandan-DK May 21, 2024
a7ffe1e
add kyverno tests for require-linkerd-mesh-injection
Chandan-DK May 21, 2024
7acd066
convert require-linkerd-mesh-injection
Chandan-DK May 21, 2024
63a28e7
copy disallow-ingress-nginx-custom-snippets
Chandan-DK May 21, 2024
7cffb72
convert disallow-ingress-nginx-custom-snippets
Chandan-DK May 21, 2024
9321063
copy restrict-annotations
Chandan-DK May 22, 2024
afc2fea
convert restrict-annotations
Chandan-DK May 22, 2024
abd6ab4
copy restrict-ingress-paths
Chandan-DK May 22, 2024
0e01161
add kyverno test for one more failing condition
Chandan-DK May 22, 2024
2788e16
convert restrict-ingress-paths
Chandan-DK May 22, 2024
5d7f145
copy check-routes
Chandan-DK May 22, 2024
bc9172f
convert check-routes
Chandan-DK May 22, 2024
07e3081
copy disallow-deprecated-apis/
Chandan-DK May 22, 2024
6d334db
convert disallow-deprecated-apis
Chandan-DK May 22, 2024
9616cff
copy disallow-default-tlsoptions
Chandan-DK May 22, 2024
63d317e
convert disallow-default-tlsoptions
Chandan-DK May 22, 2024
4dd272d
copy add-psa-namespace-reporting
Chandan-DK May 22, 2024
f83665c
convert add-psa-namespace-reporting
Chandan-DK May 22, 2024
184576b
copy deny-privileged-profile
Chandan-DK May 22, 2024
03609a0
convert deny-privileged-profile
Chandan-DK May 22, 2024
f3a3ca9
add kyverno tests for deny-privileged-profile
Chandan-DK May 22, 2024
2815aa5
copy disallow-jenkins-pipeline-strategy
Chandan-DK May 22, 2024
a7d95dd
convert disallow-jenkins-pipeline-strategy
Chandan-DK May 22, 2024
ca7ed59
copy disallow-security-context-constraint-anyuid
Chandan-DK May 22, 2024
6512fba
convert disallow-security-context-constraint-anyuid
Chandan-DK May 22, 2024
77095fa
copy openshift-cel/disallow-self-provisioner-binding
Chandan-DK May 22, 2024
5c66f1f
convert disallow-self-provisioner-binding
Chandan-DK May 22, 2024
07f18b6
copy enforce-etcd-encryption
Chandan-DK May 22, 2024
4343afc
convert enforce-etcd-encryption
Chandan-DK May 22, 2024
5c9058e
add CI tests for cel policies
Chandan-DK May 22, 2024
bb83cb3
remove comments for CI tests
Chandan-DK May 22, 2024
edf8a45
rename files for clarity
Chandan-DK May 22, 2024
34869cf
Merge branch 'main' into miscellaneous-policies-cel-part-3
Chandan-DK May 22, 2024
cbd81f5
specify CREATE and UPDATE operations explicitly
Chandan-DK Jul 9, 2024
95b5dd0
Merge branch 'main' into miscellaneous-policies-cel-part-3
Chandan-DK Jul 9, 2024
18cd551
remove disallow-self-provisioner-binding as it gives errors that need…
Chandan-DK Jul 9, 2024
a04f06c
Merge branch 'main' into miscellaneous-policies-cel-part-3
MariamFahmy98 Jul 10, 2024
96b2b31
Merge branch 'main' into miscellaneous-policies-cel-part-3
MariamFahmy98 Jul 15, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
convert require-linkerd-mesh-injection
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
Chandan-DK committed May 21, 2024
commit 7acd0661ac6bad0b066ae0e4b8b24da36e7a72a9
14 changes: 8 additions & 6 deletions linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
@@ -1,21 +1,23 @@
name: require-linkerd-mesh-injection
name: require-linkerd-mesh-injection-cel
version: 1.0.0
displayName: Require Linkerd Mesh Injection
createdAt: "2023-04-10T20:19:58.000Z"
displayName: Require Linkerd Mesh Injection in CEL expressions
description: >-
Sidecar proxy injection in Linkerd may be handled at the Namespace level by setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml
```
keywords:
- kyverno
- Linkerd
- CEL Expressions
readme: |
Sidecar proxy injection in Linkerd may be handled at the Namespace level by setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`.
Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Linkerd"
kyverno/category: "Linkerd in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Namespace, Annotation"
digest: 284e774c36aae48ee175b4388c792d073897fd6e5df3645ce65682d441a35877
digest: 5a3664baf5c416d009d7eefe0f45da0efb856928beb0cc299e1416de48810959
createdAt: "2024-05-21T16:06:15Z"
Original file line number Diff line number Diff line change
@@ -3,16 +3,18 @@ kind: ClusterPolicy
metadata:
name: require-linkerd-mesh-injection
annotations:
policies.kyverno.io/title: Require Linkerd Mesh Injection
policies.kyverno.io/category: Linkerd
policies.kyverno.io/title: Require Linkerd Mesh Injection in CEL expressions
policies.kyverno.io/category: Linkerd in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Namespace, Annotation
policies.kyverno.io/minversion: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
Sidecar proxy injection in Linkerd may be handled at the Namespace level by
setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that
all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`.
spec:
validationFailureAction: audit
validationFailureAction: Audit
background: true
rules:
- name: require-mesh-annotation
@@ -22,8 +24,8 @@ spec:
kinds:
- Namespace
validate:
message: "All Namespaces must set the annotation `linkerd.io/inject` to `enabled`."
pattern:
metadata:
annotations:
linkerd.io/inject: enabled
cel:
expressions:
- expression: "has(object.metadata.annotations) && 'linkerd.io/inject' in object.metadata.annotations && object.metadata.annotations['linkerd.io/inject'] == 'enabled'"
message: "All Namespaces must set the annotation `linkerd.io/inject` to `enabled`."