42 lines
1.5 KiB
YAML
42 lines
1.5 KiB
YAML
apiVersion: admissionregistration.k8s.io/v1
|
|
kind: ValidatingAdmissionPolicy
|
|
metadata:
|
|
name: "servicecidrs.default"
|
|
annotations:
|
|
kubernetes.io/description: >-2
|
|
A ValidatingAdmissionPolicy that restricts the IP address ranges that can be
|
|
used for ClusterIP type Services. Deploying this admission policy and its
|
|
associated ValidatingAdmissionPolicyBinding prevents creating (or updating)
|
|
a ServiceCIDR outside the permitted ranges.
|
|
spec:
|
|
failurePolicy: Fail
|
|
matchConstraints:
|
|
resourceRules:
|
|
- apiGroups: ["networking.k8s.io"]
|
|
apiVersions: ["v1","v1beta1"]
|
|
operations: ["CREATE", "UPDATE"]
|
|
resources: ["servicecidrs"]
|
|
matchConditions:
|
|
- name: 'exclude-default-servicecidr'
|
|
expression: "object.metadata.name != 'kubernetes'"
|
|
variables:
|
|
- name: allowed
|
|
expression: "['10.96.0.0/16','2001:db8::/64']"
|
|
validations:
|
|
- expression: "object.spec.cidrs.all(currentCIDR, variables.allowed.exists(allowedCIDR, cidr(allowedCIDR).containsCIDR(currentCIDR)))"
|
|
---
|
|
apiVersion: admissionregistration.k8s.io/v1
|
|
kind: ValidatingAdmissionPolicyBinding
|
|
metadata:
|
|
name: "servicecidrs-binding"
|
|
annotations:
|
|
kubernetes.io/description: >-2
|
|
A ValidatingAdmissionPolicyBinding to restricts the IP address ranges that
|
|
can be used for ClusterIP type Services. Deploying this binding and its
|
|
associated ValidatingAdmissionPolicy prevents creating (or updating)
|
|
a ServiceCIDR that falls outside the permitted ranges.
|
|
spec:
|
|
policyName: "servicecidrs.default"
|
|
validationActions: [Deny,Audit]
|
|
|