Required Annotation: Owner/Team
No violationsstackroxlowdeployAlert on deployments missing the 'owner' or 'team' annotation
- Rationale
- The 'owner' or 'team' annotation should always be specified so that the deployment can quickly be associated with a specific user or team.
- Remediation
- Redeploy your service and set the 'owner' or 'team' annotation to yourself or your team respectively per organizational standards.
CategoriesDevOps Best PracticesSecurity Best PracticesSupply Chain Security
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 28.1Art. 9.2
- ISO/IEC 27001 2022
- A.8.25A.8.9
- NIST SP 800-53 rev. 5
- CM-2SR-4
- PCI DSS 4.0
- 2.2.16.4.3
- SOC 2 2017 TSC
- CC6.8CC8.1
Generated artifacts
3 of 5 targets supportedrequired-annotation-owner-team.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: required-annotation-owner-team
annotations:
policies.kyverno.io/title: "Required Annotation: Owner/Team"
policies.kyverno.io/category: DevOps Best Practices, Security Best Practices, Supply Chain Security
policies.kyverno.io/severity: low
policies.kyverno.io/description: Alert on deployments missing the 'owner' or 'team' annotation
policies.kyverno.io/remediation: Redeploy your service and set the 'owner' or 'team' annotation to yourself or your team respectively per organizational standards.
policies.kyverno.io/rationale: The 'owner' or 'team' annotation should always be specified so that the deployment can quickly be associated with a specific user or team.
policies.io/source: stackrox
policies.io/source-id: 1a498d97-0cc2-45f5-b32e-1f3cca6a3113
spec:
validationFailureAction: Audit
background: true
rules:
- name: required-annotation-owner-team
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Policy \"Required Annotation: Owner/Team\" violated: Alert on deployments missing the 'owner' or 'team' annotation"
deny:
conditions:
all:
- key: "{{ keys(request.object.metadata.annotations || `{}`) }}"
operator: AnyNotIn
value:
- owner|team
exclude:
any:
- resources:
namespaces:
- kube-system
- resources:
namespaces:
- istio-system
IR (canonical)
{
"id": "1a498d97-0cc2-45f5-b32e-1f3cca6a3113",
"name": "Required Annotation: Owner/Team",
"description": "Alert on deployments missing the 'owner' or 'team' annotation",
"rationale": "The 'owner' or 'team' annotation should always be specified so that the deployment can quickly be associated with a specific user or team.",
"remediation": "Redeploy your service and set the 'owner' or 'team' annotation to yourself or your team respectively per organizational standards.",
"severity": "low",
"categories": [
"DevOps Best Practices",
"Security Best Practices",
"Supply Chain Security"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"namespace": "kube-system"
},
{
"name": "Don't alert on istio-system namespace",
"namespace": "istio-system"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "required-annotation",
"values": [
"owner|team=.+"
],
"valuesOp": "or",
"negate": false
},
"disabled": true
}Original StackRox JSON
{
"id": "1a498d97-0cc2-45f5-b32e-1f3cca6a3113",
"name": "Required Annotation: Owner/Team",
"description": "Alert on deployments missing the 'owner' or 'team' annotation",
"rationale": "The 'owner' or 'team' annotation should always be specified so that the deployment can quickly be associated with a specific user or team.",
"remediation": "Redeploy your service and set the 'owner' or 'team' annotation to yourself or your team respectively per organizational standards.",
"disabled": true,
"categories": [
"DevOps Best Practices",
"Security Best Practices",
"Supply Chain Security"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "kube-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on istio-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "istio-system",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Required Annotation",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "owner|team=.+"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}