Last active
July 8, 2021 08:40
-
-
Save ankitsaini2609/11af2bc3affd92da3fd2e56db48d2e5d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: kyverno.io/v1 | |
| kind: ClusterPolicy | |
| metadata: | |
| name: deny-public-elb-creation | |
| spec: | |
| validationFailureAction: enforce | |
| background: false | |
| rules: | |
| - name: block-public-elb-service-creations | |
| context: | |
| - name: allowed-elbs | |
| configMap: | |
| name: public-services | |
| namespace: security | |
| match: | |
| resources: | |
| kinds: | |
| - Service | |
| validate: | |
| message: "Service of the type: LoadBalancer found to be exposed publicly. Please expose the service as a private ELB via 'service.beta.kubernetes.io/aws-load-balancer-internal' annotation. In case of any doubts reach out to security team." | |
| deny: | |
| conditions: | |
| - key: "{{request.object.metadata.annotations.\"service.beta.kubernetes.io/aws-load-balancer-internal\"||'~'}}" | |
| operator: Equals | |
| value: "~" | |
| - key: "{{request.object.spec.type}}" | |
| operator: Equals | |
| value: "LoadBalancer" | |
| - key: "{{request.namespace}}/{{request.name}}" | |
| operator: NotIn | |
| value: "{{ \"public-services\".data.\"public-services-whitelist\" }}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment