Validating ClientIntents

Otterize's ClientIntents CRDs can be validated using Kyverno. Kyverno is a policy engine designed for Kubernetes Kyverno policies can validate, mutate, generate, and cleanup Kubernetes resources, and verify image signatures and artifacts to help secure the software supply chain.

To install and setup Kyverno, follow the instructions in the Kyverno documentation.

The following are some example Kyverno policies that can be used to validate ClientIntents CRDs:

• Validate that ClientIntents CRDs do not have any AWS s3:DeleteAction operations:

  apiVersion: kyverno.io/v1
  kind: ClusterPolicy
  metadata:
    name: validate-clientintents
  spec:
    validationFailureAction: Enforce
    rules:
      - name: deny-s3-deleteobject
        match:
          any:
            - resources:
                kinds:
                  - k8s.otterize.com/v1alpha3/ClientIntents
        validate:
          message: "s3:DeleteObject is not allowed"
          foreach:
            - list: request.object.spec.calls[]
              foreach:
                - list: "element.awsActions"
                  deny:
                    conditions:
                      all:
                        - key: "{{element}}"
                          operator: Equals
                          value: "s3:DeleteObject"