Back to Policies

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: application-prevent-updates-project
  annotations:
    policies.kyverno.io/title: Prevent Updates to Project
    policies.kyverno.io/category: Argo
    policies.kyverno.io/severity: medium
    kyverno.io/kyverno-version: 1.6.2
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/subject: Application
    policies.kyverno.io/description: This policy prevents updates to the project field after an Application is created.
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: project-updates
      match:
        any:
          - resources:
              kinds:
                - Application
      preconditions:
        all:
          - key: "{{ request.operation || 'BACKGROUND' }}"
            operator: Equals
            value: UPDATE
      validate:
        message: The spec.project cannot be changed once the Application is created.
        deny:
          conditions:
            any:
              - key: "{{request.object.spec.project}}"
                operator: NotEquals
                value: "{{request.oldObject.spec.project}}"

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Ensure ApplicationSet Name Matches Project

This policy ensures that the name of the ApplicationSet is the same value provided in the project.

ApplicationSet
ValidateMedium

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Service