Back to Policies

Protect Node Taints

Node taints are often used as a control in multi-tenant use cases. If users can alter them, they may be able to affect scheduling of Pods which may impact other workloads. This sample prohibits altering of node taints unless by a user holding the `cluster-admin` ClusterRole. Use of this policy requires removal of the Node resource filter in the Kyverno ConfigMap ([Node,*,*]). Due to Kubernetes CVE-2021-25735, this policy requires, at minimum, one of the following versions of Kubernetes: v1.18.18, v1.19.10, v1.20.6, or v1.21.0.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: protect-node-taints
  annotations:
    policies.kyverno.io/title: Protect Node Taints
    policies.kyverno.io/category: Other
    policies.kyverno.io/subject: Node
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/description: "Node taints are often used as a control in multi-tenant use cases. If users can alter them, they may be able to affect scheduling of Pods which may impact other workloads. This sample prohibits altering of node taints unless by a user holding the `cluster-admin` ClusterRole. Use of this policy requires removal of the Node resource filter in the Kyverno ConfigMap ([Node,*,*]). Due to Kubernetes CVE-2021-25735, this policy requires, at minimum, one of the following versions of Kubernetes: v1.18.18, v1.19.10, v1.20.6, or v1.21.0."
spec:
  validationFailureAction: Enforce
  background: false
  rules:
    - name: protect-node-taints
      match:
        any:
          - resources:
              kinds:
                - Node
      exclude:
        clusterRoles:
          - cluster-admin
      preconditions:
        all:
          - key: "{{request.operation || 'BACKGROUND'}}"
            operator: Equals
            value: UPDATE
      validate:
        message: Node taints may not be altered.
        deny:
          conditions:
            any:
              - key: "{{request.object.spec.taints}}"
                operator: NotEquals
                value: ""
              - key: "{{request.oldObject.spec.taints}}"
                operator: NotEquals
                value: "{{request.object.spec.taints}}"

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application
ValidateMedium

Ensure ApplicationSet Name Matches Project

This policy ensures that the name of the ApplicationSet is the same value provided in the project.

ApplicationSet