Services select eligible Pods by way of label matches. Having multiple Service apply based on same labels can cause conflicts and have unintended consequences. This policy ensures that within the same Namespace a Service has a unique set of labels as a selector.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: require-unique-service-selectorannotations:policies.kyverno.io/title: Require Unique Service Selectorpolicies.kyverno.io/category: Otherkyverno.io/kyverno-version: 1.9.0kyverno.io/kubernetes-version: "1.24"policies.kyverno.io/subject: Servicepolicies.kyverno.io/description: Services select eligible Pods by way of label matches. Having multiple Service apply based on same labels can cause conflicts and have unintended consequences. This policy ensures that within the same Namespace a Service has a unique set of labels as a selector.spec:validationFailureAction: Auditbackground: falserules:- name: check-service-selectormatch:any:- resources:kinds:- Servicepreconditions:all:- key: "{{request.operation || 'BACKGROUND'}}"operator: NotEqualsvalue: DELETEcontext:- name: servicesapiCall:urlPath: /api/v1/namespaces/{{request.namespace}}/servicesjmesPath: items[?spec.selector]- name: service_countvariable:jmesPath: services[?label_match(spec.selector, `{{request.object.spec.selector}}`)] | length(@)validate:message: There is already a matching selector for this Service.deny:conditions:any:- key: "{{service_count}}"operator: GreaterThanvalue: 0
This policy prevents the use of the default project in an Application.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.