Skip to content

feat: warn on RDS destructive changes, public ingress, and public EKS#628

Open
RealHarshThakur wants to merge 1 commit into
mainfrom
ht/protective-policies
Open

feat: warn on RDS destructive changes, public ingress, and public EKS#628
RealHarshThakur wants to merge 1 commit into
mainfrom
ht/protective-policies

Conversation

@RealHarshThakur

@RealHarshThakur RealHarshThakur commented May 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Adds byoc-nuon/policies.toml wiring four OPA warn policies:

Policy Triggers on
warn-db-destructive.rego aws_db_instance delete, replace, storage shrink, backups → 0, deletion_protection flipped off, delete with skip_final_snapshot
warn-public-eks-endpoint.rego aws_eks_cluster with endpoint_public_access = true
warn-public-ingress.rego Ingress with alb.ingress.kubernetes.io/scheme: internet-facing or cert-manager.io/cluster-issuer: public-issuer
warn-loadbalancer-service.rego Service with type: LoadBalancer

Notes

  • warn-only for now; promote to deny per-rule after a release of soak.
  • Patterns borrowed from nuonco/example-app-configs (policies-demo, coder) and nuonco/policies.

@RealHarshThakur RealHarshThakur marked this pull request as draft May 27, 2026 14:37
@RealHarshThakur RealHarshThakur changed the title byoc-nuon: warn on RDS destructive changes, public ingress, and public EKS feat: warn on RDS destructive changes, public ingress, and public EKS May 27, 2026
@RealHarshThakur RealHarshThakur marked this pull request as ready for review May 28, 2026 10:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RealHarshThakur