40 lines
1.2 KiB
YAML
40 lines
1.2 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: check-routes
|
|
annotations:
|
|
policies.kyverno.io/title: Require TLS routes in OpenShift
|
|
policies.kyverno.io/category: OpenShift
|
|
policies.kyverno.io/severity: high
|
|
kyverno.io/kyverno-version: 1.6.0
|
|
policies.kyverno.io/minversion: 1.6.0
|
|
kyverno.io/kubernetes-version: "1.20"
|
|
policies.kyverno.io/subject: Route
|
|
policies.kyverno.io/description: |-
|
|
HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes.
|
|
spec:
|
|
validationFailureAction: audit
|
|
failurePolicy: Ignore
|
|
background: false
|
|
rules:
|
|
- name: require-tls-routes
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- route.openshift.io/v1/Route
|
|
preconditions:
|
|
all:
|
|
- key: "{{ request.operation }}"
|
|
operator: NotEquals
|
|
value: ["DELETE"]
|
|
validate:
|
|
message: >-
|
|
HTTP routes are not allowed. Configure TLS for secure routes.
|
|
deny:
|
|
conditions:
|
|
all:
|
|
- key: "{{ keys(request.object.spec) | contains(@, 'tls') }}"
|
|
operator: Equals
|
|
value: false
|