Require Istio AuthorizationPolicies

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-authorizationpolicies
 5  annotations:
 6    policies.kyverno.io/title: Require Istio AuthorizationPolicies
 7    policies.kyverno.io/category: Istio
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.8.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.24"
12    policies.kyverno.io/subject: AuthorizationPolicy
13    policies.kyverno.io/description: >-
14      An AuthorizationPolicy is used to provide access controls for traffic in the mesh and
15      can be defined at multiple levels. For the Namespace level, all Namespaces should have
16      at least one AuthorizationPolicy. This policy, designed to run in background mode for reporting
17      purposes, ensures every Namespace has at least one AuthorizationPolicy.      
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22  - name: check-authz-pol
23    match:
24      any:
25      - resources:
26          kinds:
27          - Namespace
28    context:
29    - name: allauthorizationpolicies
30      apiCall:
31        urlPath: "/apis/security.istio.io/v1beta1/authorizationpolicies"
32        jmesPath: "items[].metadata.namespace"
33    validate:
34      message: "All Namespaces must have an AuthorizationPolicy."
35      deny:
36        conditions:
37          all:
38          - key: "{{request.object.metadata.name}}"
39            operator: AnyNotIn
40            value: "{{allauthorizationpolicies}}"