Disallow NodePort in CEL expressions

A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type.

Policy Definition

/best-practices-cel/restrict-node-port/restrict-node-port.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-nodeport
 5  annotations:
 6    policies.kyverno.io/title: Disallow NodePort in CEL expressions
 7    policies.kyverno.io/category: Best Practices in CEL 
 8    policies.kyverno.io/minversion: 1.11.0
 9    kyverno.io/kubernetes-version: "1.26-1.27"
10    policies.kyverno.io/severity: medium
11    policies.kyverno.io/subject: Service
12    policies.kyverno.io/description: >-
13      A Kubernetes Service of type NodePort uses a host port to receive traffic from
14      any source. A NetworkPolicy cannot be used to control traffic to host ports.
15      Although NodePort Services can be useful, their use must be limited to Services
16      with additional upstream security checks. This policy validates that any new Services
17      do not use the `NodePort` type.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22  - name: validate-nodeport
23    match:
24      any:
25      - resources:
26          kinds:
27          - Service
28          operations:
29          - CREATE
30          - UPDATE
31    validate:
32      cel:
33        expressions:
34          - expression: "has(object.spec.type) ? (object.spec.type != 'NodePort') : true"
35            message: "Services of type NodePort are not allowed."

Create policy issue