Prevent Linkerd Port Skipping

Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting them from mTLS. This can be important in some narrow use cases but generally should be avoided. This policy prevents Pods from setting the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`.

Policy Definition

/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: prevent-linkerd-port-skipping
 5  annotations:
 6    policies.kyverno.io/title: Prevent Linkerd Port Skipping
 7    policies.kyverno.io/category: Linkerd
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting
12      them from mTLS. This can be important in some narrow use cases but
13      generally should be avoided. This policy prevents Pods from setting
14      the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`.      
15spec:
16  validationFailureAction: audit
17  background: true
18  rules:
19  - name: pod-prevent-port-skipping
20    match:
21      any:
22      - resources:
23          kinds:
24          - Pod
25    validate:
26      message: "Pods may not skip ports. The annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports` must not be set."
27      pattern:
28        metadata:
29          =(annotations):
30            X(config.linkerd.io/skip-inbound-ports): "null"
31            X(config.linkerd.io/skip-outbound-ports): "null"

Create policy issue