Back to catalog

Required Annotation: Owner/Team

No violationsstackroxlowdeploy

Alert on deployments missing the 'owner' or 'team' annotation

Rationale
The 'owner' or 'team' annotation should always be specified so that the deployment can quickly be associated with a specific user or team.
Remediation
Redeploy your service and set the 'owner' or 'team' annotation to yourself or your team respectively per organizational standards.
CategoriesDevOps Best PracticesSecurity Best PracticesSupply Chain Security
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 28.1Art. 9.2
ISO/IEC 27001 2022
A.8.25A.8.9
NIST SP 800-53 rev. 5
CM-2SR-4
PCI DSS 4.0
2.2.16.4.3
SOC 2 2017 TSC
CC6.8CC8.1

Generated artifacts

3 of 5 targets supported
required-annotation-owner-team.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: required-annotation-owner-team
  annotations:
    policies.kyverno.io/title: "Required Annotation: Owner/Team"
    policies.kyverno.io/category: DevOps Best Practices, Security Best Practices, Supply Chain Security
    policies.kyverno.io/severity: low
    policies.kyverno.io/description: Alert on deployments missing the 'owner' or 'team' annotation
    policies.kyverno.io/remediation: Redeploy your service and set the 'owner' or 'team' annotation to yourself or your team respectively per organizational standards.
    policies.kyverno.io/rationale: The 'owner' or 'team' annotation should always be specified so that the deployment can quickly be associated with a specific user or team.
    policies.io/source: stackrox
    policies.io/source-id: 1a498d97-0cc2-45f5-b32e-1f3cca6a3113
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: required-annotation-owner-team
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: "Policy \"Required Annotation: Owner/Team\" violated: Alert on deployments missing the 'owner' or 'team' annotation"
        deny:
          conditions:
            all:
              - key: "{{ keys(request.object.metadata.annotations || `{}`) }}"
                operator: AnyNotIn
                value:
                  - owner|team
      exclude:
        any:
          - resources:
              namespaces:
                - kube-system
          - resources:
              namespaces:
                - istio-system
IR (canonical)
{
  "id": "1a498d97-0cc2-45f5-b32e-1f3cca6a3113",
  "name": "Required Annotation: Owner/Team",
  "description": "Alert on deployments missing the 'owner' or 'team' annotation",
  "rationale": "The 'owner' or 'team' annotation should always be specified so that the deployment can quickly be associated with a specific user or team.",
  "remediation": "Redeploy your service and set the 'owner' or 'team' annotation to yourself or your team respectively per organizational standards.",
  "severity": "low",
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices",
    "Supply Chain Security"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "namespace": "kube-system"
    },
    {
      "name": "Don't alert on istio-system namespace",
      "namespace": "istio-system"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "required-annotation",
    "values": [
      "owner|team=.+"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "1a498d97-0cc2-45f5-b32e-1f3cca6a3113",
  "name": "Required Annotation: Owner/Team",
  "description": "Alert on deployments missing the 'owner' or 'team' annotation",
  "rationale": "The 'owner' or 'team' annotation should always be specified so that the deployment can quickly be associated with a specific user or team.",
  "remediation": "Redeploy your service and set the 'owner' or 'team' annotation to yourself or your team respectively per organizational standards.",
  "disabled": true,
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices",
    "Supply Chain Security"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on istio-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "istio-system",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Required Annotation",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "owner|team=.+"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}