This policy prevents the use of the default project in an Application.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: application-prevent-default-projectannotations:policies.kyverno.io/title: Prevent Use of Default Project in CEL expressionspolicies.kyverno.io/category: Argo in CELpolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.11.0policies.kyverno.io/minversion: 1.11.0kyverno.io/kubernetes-version: 1.26-1.27policies.kyverno.io/subject: Applicationpolicies.kyverno.io/description: This policy prevents the use of the default project in an Application.spec:validationFailureAction: Auditbackground: truerules:- name: default-projectmatch:any:- resources:kinds:- Applicationoperations:- CREATE- UPDATEvalidate:cel:expressions:- expression: object.spec.?project.orValue('') != 'default'message: The default project may not be used in an Application.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.
According to EKS best practices, the `aws-node` DaemonSet is configured to use a role assigned to the EC2 instances to assign IPs to Pods. This role includes several AWS managed policies that effectively allow all Pods running on a Node to attach/detach ENIs, assign/unassign IP addresses, or pull images from ECR. Since this presents a risk to your cluster, it is recommended that you update the `aws-node` DaemonSet to use IRSA. This policy ensures that the `aws-node` DaemonSet running in the `kube-system` Namespace is not still using the `aws-node` ServiceAccount.
This policy prevents updates to the project field after an Application is created.