All Policies

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Policy Definition

/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-encryption-aws-loadbalancers
 5  annotations:
 6    policies.kyverno.io/title: Require Encryption with AWS LoadBalancers
 7    policies.kyverno.io/category: AWS, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Service
10    kyverno.io/kyverno-version: 1.7.3, 1.8.0-rc2
11    policies.kyverno.io/minversion: 1.6.0
12    kyverno.io/kubernetes-version: "1.23-1.24"
13    policies.kyverno.io/description: >-
14      Services of type LoadBalancer when deployed inside AWS have support for
15      transport encryption if it is enabled via an annotation. This policy requires
16      that Services of type LoadBalancer contain the annotation
17      service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.      
18spec:
19  validationFailureAction: audit
20  background: true
21  rules:
22  - name: aws-loadbalancer-has-ssl-cert
23    match:
24      any:
25      - resources:
26          kinds:
27          - Service
28    validate:
29      message: "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert."
30      pattern:
31        metadata:
32          annotations:
33            service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "?*"
34        (spec):
35          (type): LoadBalancer
Create policy issue