Back to Policies

Enforce etcd encryption in OpenShift in CEL expressions

Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: enforce-etcd-encryption
  annotations:
    policies.kyverno.io/title: Enforce etcd encryption in OpenShift in CEL expressions
    policies.kyverno.io/category: OpenShift
    policies.kyverno.io/severity: high
    kyverno.io/kyverno-version: 1.11.0
    policies.kyverno.io/minversion: 1.11.0
    kyverno.io/kubernetes-version: 1.26-1.27
    policies.kyverno.io/subject: APIServer
    policies.kyverno.io/description: Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters.
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: check-etcd-encryption
      match:
        any:
          - resources:
              kinds:
                - config.openshift.io/v1/APIServer
              operations:
                - CREATE
                - UPDATE
      validate:
        cel:
          expressions:
            - expression: has(object.spec.encryption)
              message: Encryption should be enabled for etcd

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Use of Default Project in CEL expressions

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application