apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: allowed-annotations spec: {} status: autogen: rules: - match: any: - resources: kinds: - DaemonSet - Deployment - Job - ReplicaSet - ReplicationController - StatefulSet name: autogen-allowed-fluxcd-annotations validate: deny: conditions: all: - key: '{{ request.object.spec.template.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}' operator: AnyNotIn value: - fluxcd.io/cow - fluxcd.io/dog message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. failureAction: Enforce - match: any: - resources: kinds: - CronJob name: autogen-cronjob-allowed-fluxcd-annotations validate: deny: conditions: all: - key: '{{ request.object.spec.jobTemplate.spec.template.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}' operator: AnyNotIn value: - fluxcd.io/cow - fluxcd.io/dog message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. failureAction: Enforce conditions: - reason: Succeeded status: "True" type: Ready