apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: webhook.kyverno.io/managed-by: kyverno name: kyverno-resource-validating-webhook-cfg webhooks: - admissionReviewVersions: - v1 clientConfig: service: name: kyverno-svc namespace: kyverno path: /policies/vpol/validate/fail/finegrained/disallow-privilege-escalation port: 443 failurePolicy: Fail matchConditions: - expression: '!(object.kind == ''Pod'') || has(object.metadata.labels) && has(object.metadata.labels.prod) && object.metadata.labels.prod == ''true''' name: check-prod-label - expression: '!(object.kind ==''Deployment'' || object.kind ==''ReplicaSet'' || object.kind ==''StatefulSet'' || object.kind ==''DaemonSet'') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod == ''true''' name: autogen-check-prod-label - expression: '!(object.kind ==''CronJob'') || has(object.spec.jobTemplate.spec.template.metadata.labels) && has(object.spec.jobTemplate.spec.template.metadata.labels.prod) && object.spec.jobTemplate.spec.template.metadata.labels.prod == ''true''' name: autogen-cronjobs-check-prod-label matchPolicy: Equivalent name: vpol.validate.kyverno.svc-fail-finegrained-disallow-privilege-escalation namespaceSelector: {} objectSelector: {} rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE - UPDATE resources: - pods scope: '*' - apiGroups: - apps apiVersions: - v1 operations: - CREATE - UPDATE resources: - daemonsets - deployments - replicasets - statefulsets scope: '*' - apiGroups: - batch apiVersions: - v1 operations: - CREATE - UPDATE resources: - jobs scope: '*' - apiGroups: - batch apiVersions: - v1 operations: - CREATE - UPDATE resources: - cronjobs scope: '*' sideEffects: NoneOnDryRun timeoutSeconds: 10