-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathnamespace-inventory-check
78 lines (78 loc) · 2.53 KB
/
namespace-inventory-check
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: namespace-inventory-check
annotations:
policies.kyverno.io/title: Namespace Inventory Check
policies.kyverno.io/category: "Cost Management"
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Namespace
kyverno.io/kyverno-version: 1.10.0
policies.kyverno.io/minversion: 1.9.0
kyverno.io/kubernetes-version: "1.24"
policies.kyverno.io/description: >-
In cases such as multi-tenancy where new Namespaces must be fully
provisioned before they can be used, it may not be easy to declare and
understand if/when the Namespace is ready. Having a policy which defines
all the resources which are required for each Namespace can assist in determining
compliance. This policy, expected to be run in background mode only, performs a Namespace
inventory check to ensure that all Namespaces have a ResourceQuota and NetworkPolicy.
Additional rules may be written to extend the check for your needs. By default, background
scans occur every one hour which may be changed with an additional container flag. Please
see the installation documentation for details.
spec:
background: true
validationFailureAction: Audit
rules:
- name: resourcequotas
match:
any:
- resources:
kinds:
- Namespace
exclude:
any:
- resources:
namespaces:
- kube-system
- kube-public
- kube-node-lease
context:
- name: resourcequotas
apiCall:
urlPath: "/api/v1/namespaces/{{request.object.metadata.name}}/resourcequotas"
jmesPath: "items[] | length(@)"
validate:
message: "Every Namespace must have at least one ResourceQuota."
deny:
conditions:
all:
- key: "{{ resourcequotas }}"
operator: Equals
value: 0
- name: networkpolicies
match:
any:
- resources:
kinds:
- Namespace
exclude:
any:
- resources:
namespaces:
- kube-system
- kube-public
- kube-node-lease
context:
- name: netpols
apiCall:
urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.object.metadata.name}}/networkpolicies"
jmesPath: "items[] | length(@)"
validate:
message: "Every Namespace must have at least one NetworkPolicy."
deny:
conditions:
all:
- key: "{{ netpols }}"
operator: Equals
value: 0