Prevent Use of Default Project in CEL expressions

This policy prevents the use of the default project in an Application.

Policy Definition

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: application-prevent-default-project
  annotations:
    policies.kyverno.io/title: Prevent Use of Default Project in CEL expressions
    policies.kyverno.io/category: Argo in CEL
    policies.kyverno.io/severity: medium
    kyverno.io/kyverno-version: 1.11.0
    policies.kyverno.io/minversion: 1.11.0
    kyverno.io/kubernetes-version: 1.26-1.27
    policies.kyverno.io/subject: Application
    policies.kyverno.io/description: This policy prevents the use of the default project in an Application.
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: default-project
      match:
        any:
          - resources:
              kinds:
                - Application
              operations:
                - CREATE
                - UPDATE
      validate:
        cel:
          expressions:
            - expression: object.spec.?project.orValue('') != 'default'
              message: The default project may not be used in an Application.

Related Policies

ValidateMedium

Ensure ApplicationSet Name Matches Project in CEL expressions

This policy ensures that the name of the ApplicationSet is the same value provided in the project.

ApplicationSet

ValidateMedium

Prevent Updates to Project in CEL expressions

This policy prevents updates to the project field after an Application is created.

Application

ValidateMedium

Enforce AppProject with clusterResourceBlacklist in CEL expressions

An AppProject may optionally specify clusterResourceBlacklist which is a blacklisted group of cluster resources. This is often a good practice to ensure AppProjects do not allow more access than needed. This policy is a combination of two rules which enforce that all AppProjects specify clusterResourceBlacklist and that their group and kind have wildcards as values.

AppProject