istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/base/templates/validatingadmissionpolicy.yaml (about) 1 {{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} 2 apiVersion: admissionregistration.k8s.io/v1 3 kind: ValidatingAdmissionPolicy 4 metadata: 5 name: "stable-channel-default-policy.istio.io" 6 labels: 7 release: {{ .Release.Name }} 8 istio: istiod 9 istio.io/rev: {{ .Values.defaultRevision }} 10 spec: 11 failurePolicy: Fail 12 matchConstraints: 13 resourceRules: 14 - apiGroups: 15 - security.istio.io 16 - networking.istio.io 17 - telemetry.istio.io 18 - extensions.istio.io 19 apiVersions: ["*"] 20 operations: ["CREATE", "UPDATE"] 21 resources: ["*"] 22 variables: 23 - name: isEnvoyFilter 24 expression: "object.kind == 'EnvoyFilter'" 25 - name: isWasmPlugin 26 expression: "object.kind == 'WasmPlugin'" 27 - name: isProxyConfig 28 expression: "object.kind == 'ProxyConfig'" 29 - name: isTelemetry 30 expression: "object.kind == 'Telemetry'" 31 validations: 32 - expression: "!variables.isEnvoyFilter" 33 - expression: "!variables.isWasmPlugin" 34 - expression: "!variables.isProxyConfig" 35 - expression: | 36 !( 37 variables.isTelemetry && ( 38 (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || 39 (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || 40 (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) 41 ) 42 ) 43 --- 44 apiVersion: admissionregistration.k8s.io/v1 45 kind: ValidatingAdmissionPolicyBinding 46 metadata: 47 name: "stable-channel-default-policy-binding.istio.io" 48 spec: 49 policyName: "stable-channel-default-policy.istio.io" 50 validationActions: [Deny] 51 {{- end }}