Last active
July 8, 2021 08:40
-
-
Save ankitsaini2609/11af2bc3affd92da3fd2e56db48d2e5d to your computer and use it in GitHub Desktop.
Revisions
-
ankitsaini2609 revised this gist
Jul 8, 2021 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,7 +10,7 @@ spec: context: - name: allowed-elbs configMap: name: public-services namespace: security match: resources: @@ -28,4 +28,4 @@ spec: value: "LoadBalancer" - key: "{{request.namespace}}/{{request.name}}" operator: NotIn value: "{{ \"public-services\".data.\"public-services-whitelist\" }}" -
Jun 3, 2021 . 1 changed file with 0 additions and 10 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,10 +0,0 @@ -
Jun 3, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,10 @@ apiVersion: v1 kind: ConfigMap metadata: name: allowed-elbs namespace: security data: allowed-elbs: |- donottouchthis/* d0n0tt0uchth15/* This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,31 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: deny-public-elb-creation spec: validationFailureAction: enforce background: false rules: - name: block-public-elb-service-creations context: - name: allowed-elbs configMap: name: allowed-elbs namespace: security match: resources: kinds: - Service validate: message: "Service of the type: LoadBalancer found to be exposed publicly. Please expose the service as a private ELB via 'service.beta.kubernetes.io/aws-load-balancer-internal' annotation. In case of any doubts reach out to security team." deny: conditions: - key: "{{request.object.metadata.annotations.\"service.beta.kubernetes.io/aws-load-balancer-internal\"||'~'}}" operator: Equals value: "~" - key: "{{request.object.spec.type}}" operator: Equals value: "LoadBalancer" - key: "{{request.namespace}}/{{request.name}}" operator: NotIn value: "{{ \"allowed-elbs\".data.\"allowed-elbs\" }}"