Back to catalog

Required Label: Owner/Team

No violationsstackroxlowdeploy

Alert on deployments missing the 'owner' or 'team' label

Rationale
The 'owner' or 'team' label should always be specified so that the deployment can quickly be associated with a specific user or team.
Remediation
Redeploy your service and set the 'owner' or 'team' label to yourself or your team respectively per organizational standards.
CategoriesDevOps Best PracticesSecurity Best PracticesSupply Chain Security
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 28.1Art. 9.2
ISO/IEC 27001 2022
A.8.25A.8.9
NIST SP 800-53 rev. 5
CM-2SR-4
PCI DSS 4.0
2.2.16.4.3
SOC 2 2017 TSC
CC6.8CC8.1

Generated artifacts

3 of 5 targets supported
required-label-owner-team.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: required-label-owner-team
  annotations:
    policies.kyverno.io/title: "Required Label: Owner/Team"
    policies.kyverno.io/category: DevOps Best Practices, Security Best Practices, Supply Chain Security
    policies.kyverno.io/severity: low
    policies.kyverno.io/description: Alert on deployments missing the 'owner' or 'team' label
    policies.kyverno.io/remediation: Redeploy your service and set the 'owner' or 'team' label to yourself or your team respectively per organizational standards.
    policies.kyverno.io/rationale: The 'owner' or 'team' label should always be specified so that the deployment can quickly be associated with a specific user or team.
    policies.io/source: stackrox
    policies.io/source-id: 550081a1-ad3a-4eab-a874-8eb68fab2bbd
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: required-label-owner-team
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: "Policy \"Required Label: Owner/Team\" violated: Alert on deployments missing the 'owner' or 'team' label"
        deny:
          conditions:
            all:
              - key: "{{ keys(request.object.metadata.labels || `{}`) }}"
                operator: AnyNotIn
                value:
                  - owner|team
      exclude:
        any:
          - resources:
              namespaces:
                - kube-system
          - resources:
              namespaces:
                - istio-system
IR (canonical)
{
  "id": "550081a1-ad3a-4eab-a874-8eb68fab2bbd",
  "name": "Required Label: Owner/Team",
  "description": "Alert on deployments missing the 'owner' or 'team' label",
  "rationale": "The 'owner' or 'team' label should always be specified so that the deployment can quickly be associated with a specific user or team.",
  "remediation": "Redeploy your service and set the 'owner' or 'team' label to yourself or your team respectively per organizational standards.",
  "severity": "low",
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices",
    "Supply Chain Security"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "namespace": "kube-system"
    },
    {
      "name": "Don't alert on istio-system namespace",
      "namespace": "istio-system"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "required-label",
    "values": [
      "owner|team=.+"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "550081a1-ad3a-4eab-a874-8eb68fab2bbd",
  "name": "Required Label: Owner/Team",
  "description": "Alert on deployments missing the 'owner' or 'team' label",
  "rationale": "The 'owner' or 'team' label should always be specified so that the deployment can quickly be associated with a specific user or team.",
  "remediation": "Redeploy your service and set the 'owner' or 'team' label to yourself or your team respectively per organizational standards.",
  "disabled": true,
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices",
    "Supply Chain Security"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on istio-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "istio-system",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Required Label",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "owner|team=.+"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}