Last active
September 28, 2022 12:26
-
-
Save gbvanrenswoude/76a511e1c98ca69afcb88d5b4e1283bf to your computer and use it in GitHub Desktop.
kyverno-prevent-updates-to-service-loadbalancer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: kyverno.io/v1 | |
| kind: ClusterPolicy | |
| metadata: | |
| name: service-no-type-load-balancer-enforce-extention | |
| spec: | |
| validationFailureAction: enforce | |
| background: false | |
| rules: | |
| - name: default | |
| match: | |
| any: | |
| - resources: | |
| kinds: | |
| - Service | |
| preconditions: | |
| all: | |
| - key: "{{ request.operation }}" | |
| operator: Equals | |
| value: UPDATE | |
| validate: | |
| message: Service with type Loadbalancer will launch Classic ELBs using the AWS | |
| cloud provider load balancer controller instead of ALBs or NLBs using the | |
| new AWS Load Balancer Controller. It is required that you use the AWS Load Balancer | |
| Controller instead of the AWS cloud provider load balancer controller. This | |
| is because Classic ELBs are not maintained by AWS, except for critical security | |
| patches. For NLB implementation please use https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/service/nlb/. | |
| You can also refer to https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html | |
| and https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html | |
| for more background information. | |
| pattern: | |
| spec: | |
| type: "!LoadBalancer" | |
| deny: | |
| conditions: | |
| any: | |
| - key: "{{ request.object.metadata.annotations || `{}` | merge(@, {service.beta.kubernetes.io/aws-load-balancer-type:null}) }}" | |
| operator: Equals | |
| value: "{{ request.oldObject.metadata.annotations || `{}` | merge(@, {service.beta.kubernetes.io/aws-load-balancer-type:null}) }}" | |
| --- | |
| apiVersion: kyverno.io/v1 | |
| kind: ClusterPolicy | |
| metadata: | |
| name: service-no-type-load-balancer-enforce-update | |
| spec: | |
| validationFailureAction: enforce | |
| background: false | |
| rules: | |
| - name: prevent-change | |
| match: | |
| resources: | |
| kinds: | |
| - Service | |
| validate: | |
| message: "Changing the `service.beta.kubernetes.io/aws-load-balancer-type` annotation on a Service type Loadbalancer to empty is not allowed." | |
| pattern: | |
| spec: | |
| type: "!LoadBalancer" | |
| deny: | |
| conditions: | |
| - key: "{{ request.object.metadata.annotations.service.beta.kubernetes.io/aws-load-balancer-type }}" | |
| operator: "NotEquals" | |
| value: "" | |
| - key: "{{ request.object.metadata.annotations.service.beta.kubernetes.io/aws-load-balancer-type }}" | |
| operator: "NotEquals" | |
| value: "{{ request.oldObject.metadata.annotations.service.beta.kubernetes.io/aws-load-balancer-type }}" | |
| - name: prevent-removal | |
| match: | |
| resources: | |
| kinds: | |
| - Service | |
| preconditions: | |
| - key: "{{ request.operation }}" | |
| operator: "Equals" | |
| value: UPDATE | |
| - key: "{{ request.oldObject.metadata.annotations.service.beta.kubernetes.io/aws-load-balancer-type }}" | |
| operator: "Equals" | |
| value: "*" | |
| validate: | |
| message: "Removing the `service.beta.kubernetes.io/aws-load-balancer-type` annotation external on a Service type Loadbalancer is not allowed." | |
| pattern: | |
| spec: | |
| type: "!LoadBalancer" | |
| metadata: | |
| annotations: | |
| service.beta.kubernetes.io/aws-load-balancer-type: "external" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment