All Policies

Enforce etcd encryption in OpenShift

Encrption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters.

Policy Definition

/openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: enforce-etcd-encryption
 5  annotations:
 6    policies.kyverno.io/title: Enforce etcd encryption in OpenShift
 7    policies.kyverno.io/category: OpenShift
 8    policies.kyverno.io/severity: high
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.20"
12    policies.kyverno.io/subject: APIServer
13    policies.kyverno.io/description: >-
14            Encrption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters.
15spec:
16  validationFailureAction: enforce
17  background: true
18  rules:
19  - name: check-etcd-encryption
20    match:
21      any:
22      - resources:
23          kinds:
24          - config.openshift.io/v1/APIServer
25    validate:
26      message: >-
27                Encryption should be enabled for etcd
28      deny: 
29        conditions:
30          all:
31          - key: "{{ keys(request.object.spec) | contains(@, 'encryption') }}"
32            operator: NotEquals
33            value: true
Create policy issue