This policy validates the annotations of generic Kubernetes objects.
Note
By default, the policy metadata targets only workload resources (Deployments, Pods, Replicasets, Jobs..).
Deploy the policy with your desired rules to target other resources.
Note that the audit scanner feature does not support policies targeting "*".
The policy settings has the criteria field which define the logic operation
performed with the values defined in the settings and the annotations
defined in the resource:
settings:
criteria: "containsAnyOf"
values:
- example.com/application
- cost-centerThe criteria configuration can have the following values:
containsAnyOf: enforces that the resource has at least one of the annotations invalues.doesNotContainAnyOf: enforces that the resource does not have any annotation defined invalues(denylist).containsAllOf: enforces that all of the annotations invaluesare defined in the resource.doesNotContainAllOf: enforces that the annotations defined invaluesare not all set together in the resource.ContainsOtherThan: enforces that the resource contains at least one annotation not invalues.DoesNotContainOtherThan: enforces that the resource contains only annotations fromvalues(allowlist).
The values field must contain at least one annotation name for
validation. Annotation names should be valid annotation
names
per Kubernetes docs.
Important
An empty list of annotation names is not allowed.
If you require more complex annotations validation, consider the use of Kubewarden policy groups. With policy groups, you can combine multiple validations using complex logical operators to function as a single policy.
These are some tables to help you understand the logic of the operators:
Given these values settings: [a, b]
| Resource annotations | Evaluation result |
|---|---|
| a | Accepted |
| b | Accepted |
| a,b | Accepted |
| a,b,c | Accepted |
| c | Rejected |
| a, c | Accepted |
| b, c | Accepted |
| empty | Rejected |
Given these values settings: [a, b]
| Resource annotations | Evaluation result |
|---|---|
| a | Rejected |
| b | Rejected |
| a,b | Rejected |
| a,b,c | Rejected |
| c | Accepted |
| a, c | Rejected |
| b, c | Rejected |
| empty | Accepted |
Given these values settings: [a, b]
| Resource annotations | Evaluation result |
|---|---|
| a | Rejected |
| b | Rejected |
| a,b | Accepted |
| a,b,c | Accepted |
| c | Rejected |
| a, c | Rejected |
| b, c | Rejected |
| empty | Rejected |
Given these values settings: [a, b]
| Resource annotations | Evaluation result |
|---|---|
| a | Accepted |
| b | Accepted |
| a,b | Rejected |
| a,b,c | Rejected |
| c | Accepted |
| a, c | Accepted |
| b, c | Accepted |
| empty | Accepted |
Given these values settings: [a, b]
| Resource annotations | Evaluation result |
|---|---|
| a | rejected |
| b | rejected |
| a,b | rejected |
| a,b,c | accepted |
| c | accepted |
| a, c | accepted |
| b, c | accepted |
| empty | rejected |
Given these values settings: [a, b]
| Resource annotations | Evaluation result |
|---|---|
| a | accepted |
| b | accepted |
| a,b | accepted |
| a,b,c | rejected |
| c | rejected |
| a, c | rejected |
| b, c | rejected |
| empty | accepted |