kyverno/samples/README.md

# Sample Policies

Sample policies are designed to be applied to your Kubernetes clusters with minimal changes. To apply these policies to your cluster, install Kyverno and import the policies as follows:

**Install Kyverno**

````sh
kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
````
<small>[(installation docs)](../documentation/installation.md)</small>

**Apply Kyverno Policies**

To start applying policies to your cluster, first clone the repo:

````bash
git clone https://github.com/nirmata/kyverno.git
cd kyverno
````

Import best_practices from [here](best_pratices):

````bash
kubectl create -f samples/best_practices
````

Import addition policies from [here](more):

````bash
kubectl create -f samples/more/
````

The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.

## Best Practice Policies

These policies are highly recommended.

1. [Run as non-root user](RunAsNonRootUser.md)
2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md)
3. [Disallow new capabilities](DisallowNewCapabilities.md)
4. [Require read-only root filesystem](RequireReadOnlyFS.md)
5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)
6. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
8. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
9. [Disallow unknown image registries](DisallowUnknownRegistries.md)
10. [Disallow latest image tag](DisallowLatestTag.md)
11. [Disallow use of default namespace](DisallowDefaultNamespace.md)
12. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)
13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
15. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
16. [Disallow Helm Tiller](DisallowHelmTiller.md)
17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](MutateSafeToEvict.md)

## Additional Policies

The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes. 

18. [Limit use of `NodePort` services](LimitNodePort.md)
19. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
20. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
21. [Limit Kernel parameter access](ConfigureKernelParmeters.md)
22. [Restrict ingress class](KnownIngressClass.md)
reorganize samples 2019-10-23 14:06:03 -07:00			`# Sample Policies`
inital commit, add samples folder 2019-10-08 18:40:15 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`Sample policies are designed to be applied to your Kubernetes clusters with minimal changes. To apply these policies to your cluster, install Kyverno and import the policies as follows:`
inital commit, add samples folder 2019-10-08 18:40:15 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`Install Kyverno`
update readme 2019-10-10 11:53:51 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			````sh
			`kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml`
			````
update text 2019-10-23 14:26:29 -07:00			`<small>[(installation docs)](../documentation/installation.md)</small>`
reformat additional policies 2019-10-09 18:40:52 -07:00
update text 2019-10-23 14:26:29 -07:00			`Apply Kyverno Policies`
update descriptions 2019-10-14 12:27:17 -07:00
add clone instuction 2019-10-30 13:14:59 -07:00			`To start applying policies to your cluster, first clone the repo:`

reorganize samples 2019-10-23 14:06:03 -07:00			````bash
add clone instuction 2019-10-30 13:14:59 -07:00			`git clone https://github.com/nirmata/kyverno.git`
			`cd kyverno`
			````

update doc 2019-10-30 12:36:00 -07:00			`Import best_practices from [here](best_pratices):`
update text 2019-10-23 14:26:29 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			````bash
update doc 2019-10-30 12:36:00 -07:00			`kubectl create -f samples/best_practices`
			````
update text 2019-10-23 14:26:29 -07:00
update doc 2019-10-30 12:36:00 -07:00			`Import addition policies from [here](more):`
update text 2019-10-23 14:26:29 -07:00
update doc 2019-10-30 12:36:00 -07:00			````bash
			`kubectl create -f samples/more/`
reorganize samples 2019-10-23 14:06:03 -07:00			````
reformat additional policies 2019-10-09 18:40:52 -07:00
update text 2019-10-23 14:26:29 -07:00			The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.

reorganize samples 2019-10-23 14:06:03 -07:00			`## Best Practice Policies`
update descriptions 2019-10-14 12:27:17 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`These policies are highly recommended.`
reformat additional policies 2019-10-09 18:40:52 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`1. [Run as non-root user](RunAsNonRootUser.md)`
update descriptions... 2019-10-23 15:36:37 -07:00			`2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md)`
update README.md 2019-10-31 18:43:06 -07:00			`3. [Disallow new capabilities](DisallowNewCapabilities.md)`
- add policy and test for known ingress - fix messages and remove unnecessary comments in testrunner/scenario.go 2019-11-05 19:07:44 -08:00			`4. [Require read-only root filesystem](RequireReadOnlyFS.md)`
Merge branch 'master' into 410_no_new_capabilities 2019-11-01 14:53:56 -07:00			5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)
update README.md and markdown 2019-11-01 15:23:42 -07:00			`6. [Disallow docker socket bind mount](DisallowDockerSockMount.md)`
			7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
			8. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
			`9. [Disallow unknown image registries](DisallowUnknownRegistries.md)`
			`10. [Disallow latest image tag](DisallowLatestTag.md)`
			`11. [Disallow use of default namespace](DisallowDefaultNamespace.md)`
			`12. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)`
			`13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)`
			14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
			`15. [Default deny all ingress traffic](DefaultDenyAllIngress.md)`
add disallow Helm tiller 2019-11-03 18:19:06 -08:00			`16. [Disallow Helm Tiller](DisallowHelmTiller.md)`
add policy doc 2019-11-05 16:45:37 -08:00			17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](MutateSafeToEvict.md)
reformat additional policies 2019-10-09 18:40:52 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`## Additional Policies`
reformat additional policies 2019-10-09 18:40:52 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes.`
update path in readme 2019-10-14 14:06:20 -07:00
add policy doc 2019-11-05 16:45:37 -08:00			18. [Limit use of `NodePort` services](LimitNodePort.md)
			`19. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)`
			`20. [Configure Linux Capabilities](AssignLinuxCapabilities.md)`
			`21. [Limit Kernel parameter access](ConfigureKernelParmeters.md)`
- add policy and test for known ingress - fix messages and remove unnecessary comments in testrunner/scenario.go 2019-11-05 19:07:44 -08:00			`22. [Restrict ingress class](KnownIngressClass.md)`