From cef0d1fcefd750746d3b5a2fbebcda8443aec261 Mon Sep 17 00:00:00 2001 From: Amit Lichtenberg Date: Thu, 4 Apr 2024 12:50:11 +0300 Subject: [PATCH 1/2] Document validating intents using Kyverno --- .../validating-clientintents/README.mdx | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 docs/reference/validating-clientintents/README.mdx diff --git a/docs/reference/validating-clientintents/README.mdx b/docs/reference/validating-clientintents/README.mdx new file mode 100644 index 000000000..7947a3af1 --- /dev/null +++ b/docs/reference/validating-clientintents/README.mdx @@ -0,0 +1,43 @@ +--- +sidebar_position: 9 +title: Validating ClientIntents +--- +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + +Otterize's `ClientIntent` CRDs can be validated using [Kyverno](https://kyverno.io/#td-block-1). +Kyverno is a policy engine designed for Kubernetes +Kyverno policies can validate, mutate, generate, and cleanup Kubernetes resources, and verify image signatures and artifacts to help secure the software supply chain. + +To install and setup Kyverno, follow the instructions in the [Kyverno documentation](https://kyverno.io/docs/installation/). + +The following are some example Kyverno policies that can be used to validate `ClientIntent` CRDs: + +* Validate that `ClientIntent` CRDs do not have any AWS `s3:DeleteAction` operations: + ```yaml + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: validate-clientintents + spec: + validationFailureAction: Enforce + rules: + - name: deny-s3-deleteobject + match: + any: + - resources: + kinds: + - k8s.otterize.com/v1alpha3/ClientIntents + validate: + message: "s3:DeleteObject is not allowed" + foreach: + - list: request.object.spec.calls[] + foreach: + - list: "element.awsActions" + deny: + conditions: + all: + - key: "{{element}}" + operator: Equals + value: "s3:DeleteAction" + ``` From e6eea913fdf86def5a9a20fe7ae0e78c42b6f5b6 Mon Sep 17 00:00:00 2001 From: Amit Lichtenberg Date: Sun, 7 Apr 2024 09:40:37 +0300 Subject: [PATCH 2/2] Update docs/reference/validating-clientintents/README.mdx Co-authored-by: Ori Shoshan --- docs/reference/validating-clientintents/README.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/validating-clientintents/README.mdx b/docs/reference/validating-clientintents/README.mdx index 7947a3af1..c53ae0f89 100644 --- a/docs/reference/validating-clientintents/README.mdx +++ b/docs/reference/validating-clientintents/README.mdx @@ -13,7 +13,7 @@ To install and setup Kyverno, follow the instructions in the [Kyverno documentat The following are some example Kyverno policies that can be used to validate `ClientIntent` CRDs: -* Validate that `ClientIntent` CRDs do not have any AWS `s3:DeleteAction` operations: +* Validate that `ClientIntents` CRDs do not have any AWS `s3:DeleteAction` operations: ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy