Skip to main content

Validating ClientIntents

Otterize's ClientIntents CRDs can be validated using Kyverno. Kyverno is a policy engine designed for Kubernetes Kyverno policies can validate, mutate, generate, and cleanup Kubernetes resources, and verify image signatures and artifacts to help secure the software supply chain.

To install and setup Kyverno, follow the instructions in the Kyverno documentation.

The following are some example Kyverno policies that can be used to validate ClientIntents CRDs:

  • Validate that ClientIntents CRDs do not have any AWS s3:DeleteAction operations:
    apiVersion: kyverno.io/v1
    kind: ClusterPolicy
    metadata:
      name: validate-clientintents
    spec:
      validationFailureAction: Enforce
      rules:
        - name: deny-s3-deleteobject
          match:
            any:
              - resources:
                  kinds:
                    - k8s.otterize.com/v1alpha3/ClientIntents
          validate:
            message: "s3:DeleteObject is not allowed"
            foreach:
              - list: request.object.spec.calls[]
                foreach:
                  - list: "element.awsActions"
                    deny:
                      conditions:
                        all:
                          - key: "{{element}}"
                            operator: Equals
                            value: "s3:DeleteObject"