All Policies
Protect Node Taints
Node taints are often used as a control in multi-tenant use cases. If users can alter them, they may be able to affect scheduling of Pods which may impact other workloads. This sample prohibits altering of node taints unless by a user holding the `cluster-admin` ClusterRole. Use of this policy requires removal of the Node resource filter in the Kyverno ConfigMap ([Node,*,*]). Due to Kubernetes CVE-2021-25735, this policy requires, at minimum, one of the following versions of Kubernetes: v1.18.18, v1.19.10, v1.20.6, or v1.21.0.
Policy Definition
/other/protect_node_taints/protect-node-taints.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: protect-node-taints
5 annotations:
6 policies.kyverno.io/title: Protect Node Taints
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/subject: Node
9 policies.kyverno.io/description: >-
10 Node taints are often used as a control in multi-tenant use cases.
11 If users can alter them, they may be able to affect scheduling of
12 Pods which may impact other workloads. This sample prohibits
13 altering of node taints unless by a user holding the `cluster-admin`
14 ClusterRole. Use of this policy requires removal of the Node resource filter
15 in the Kyverno ConfigMap ([Node,*,*]). Due to Kubernetes CVE-2021-25735, this policy
16 requires, at minimum, one of the following versions of Kubernetes:
17 v1.18.18, v1.19.10, v1.20.6, or v1.21.0.
18spec:
19 validationFailureAction: enforce
20 background: false
21 rules:
22 - name: protect-node-taints
23 match:
24 resources:
25 kinds:
26 - Node
27 exclude:
28 clusterRoles:
29 - cluster-admin
30 preconditions:
31 all:
32 - key: "{{request.operation || 'BACKGROUND'}}"
33 operator: Equals
34 value: UPDATE
35 validate:
36 message: "Node taints may not be altered."
37 deny:
38 conditions:
39 any:
40 - key: "{{request.object.spec.taints}}"
41 operator: NotEquals
42 value: ""
43 - key: "{{request.oldObject.spec.taints}}"
44 operator: NotEquals
45 value: "{{request.object.spec.taints}}"