kyverno/test/cli/test-validating-policy/json-check-dockerfile/policy.yaml

apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: check-dockerfile-disallow-curl
spec:
  evaluation:
    mode: JSON
  validations:
    - message: "curl is not allowed"
      expression: >- 
        !object.Stages.exists(s, 
          s.Commands.exists(c, 
            has(c.CmdLine) && c.CmdLine.exists(cmd, string(cmd).contains('curl'))
          )
        )
---
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: check-dockerfile-disallow-wget
spec:
  evaluation:
    mode: JSON
  validations:
    - message: "wget is not allowed"
      expression: >- 
        !object.Stages.exists(s, 
          s.Commands.exists(c, 
            has(c.CmdLine) && c.CmdLine.exists(cmd, string(cmd).contains('wget'))
          )
        )
    - message: "HTTP calls are not allowed"
      expression: >- 
        !object.Stages.exists(s, 
          s.Commands.exists(c, 
            c.Args.exists(a, 
              a.Value.contains('http://') || a.Value.contains('https://')
            )
          )
        )
feat: support json payload via CLI apply command (#12296) * chore: remove unused code Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: support json in CLI apply command Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: remove not used validation expressions Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: update codegen docs Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2025-03-06 16:48:26 +08:00			`apiVersion: policies.kyverno.io/v1alpha1`
			`kind: ValidatingPolicy`
			`metadata:`
			`name: check-dockerfile-disallow-curl`
			`spec:`
			`evaluation:`
			`mode: JSON`
			`validations:`
			`- message: "curl is not allowed"`
			`expression: >-`
			`!object.Stages.exists(s,`
			`s.Commands.exists(c,`
			`has(c.CmdLine) && c.CmdLine.exists(cmd, string(cmd).contains('curl'))`
			`)`
			`)`
			`---`
			`apiVersion: policies.kyverno.io/v1alpha1`
			`kind: ValidatingPolicy`
			`metadata:`
			`name: check-dockerfile-disallow-wget`
			`spec:`
			`evaluation:`
			`mode: JSON`
			`validations:`
			`- message: "wget is not allowed"`
			`expression: >-`
			`!object.Stages.exists(s,`
			`s.Commands.exists(c,`
			`has(c.CmdLine) && c.CmdLine.exists(cmd, string(cmd).contains('wget'))`
			`)`
			`)`
			`- message: "HTTP calls are not allowed"`
			`expression: >-`
			`!object.Stages.exists(s,`
			`s.Commands.exists(c,`
			`c.Args.exists(a,`
			`a.Value.contains('http://') \|\| a.Value.contains('https://')`
			`)`
			`)`
			`)`