Back to catalog

Required Annotation: Email

No violationsstackroxlowdeploy

Alert on deployments missing the 'email' annotation

Rationale
The 'email' annotation should always be specified so that issues with the deployment can quickly be routed to the proper party.
Remediation
Redeploy your service and set the 'email' annotation as your email or your team's email.
CategoriesDevOps Best PracticesSecurity Best PracticesSupply Chain Security
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 28.1Art. 9.2
ISO/IEC 27001 2022
A.8.25A.8.9
NIST SP 800-53 rev. 5
CM-2SR-4
PCI DSS 4.0
2.2.16.4.3
SOC 2 2017 TSC
CC6.8CC8.1

Generated artifacts

3 of 5 targets supported
required-annotation-email.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: required-annotation-email
  annotations:
    policies.kyverno.io/title: "Required Annotation: Email"
    policies.kyverno.io/category: DevOps Best Practices, Security Best Practices, Supply Chain Security
    policies.kyverno.io/severity: low
    policies.kyverno.io/description: Alert on deployments missing the 'email' annotation
    policies.kyverno.io/remediation: Redeploy your service and set the 'email' annotation as your email or your team's email.
    policies.kyverno.io/rationale: The 'email' annotation should always be specified so that issues with the deployment can quickly be routed to the proper party.
    policies.io/source: stackrox
    policies.io/source-id: 014a03c6-9053-49b5-88ea-c1efcf19804f
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: required-annotation-email
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: "Policy \"Required Annotation: Email\" violated: Alert on deployments missing the 'email' annotation"
        deny:
          conditions:
            all:
              - key: "{{ keys(request.object.metadata.annotations || `{}`) }}"
                operator: AnyNotIn
                value:
                  - email
      exclude:
        any:
          - resources:
              namespaces:
                - kube-system
          - resources:
              namespaces:
                - istio-system
IR (canonical)
{
  "id": "014a03c6-9053-49b5-88ea-c1efcf19804f",
  "name": "Required Annotation: Email",
  "description": "Alert on deployments missing the 'email' annotation",
  "rationale": "The 'email' annotation should always be specified so that issues with the deployment can quickly be routed to the proper party.",
  "remediation": "Redeploy your service and set the 'email' annotation as your email or your team's email.",
  "severity": "low",
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices",
    "Supply Chain Security"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "namespace": "kube-system"
    },
    {
      "name": "Don't alert on istio-system namespace",
      "namespace": "istio-system"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "required-annotation",
    "values": [
      "email=[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "014a03c6-9053-49b5-88ea-c1efcf19804f",
  "name": "Required Annotation: Email",
  "description": "Alert on deployments missing the 'email' annotation",
  "rationale": "The 'email' annotation should always be specified so that issues with the deployment can quickly be routed to the proper party.",
  "remediation": "Redeploy your service and set the 'email' annotation as your email or your team's email.",
  "disabled": true,
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices",
    "Supply Chain Security"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on istio-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "istio-system",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Required Annotation",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "email=[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}