kyverno/samples/README.md

# Sample Policies

Sample policies are designed to be applied to your Kubernetes clusters with minimal changes. To apply these policies to your cluster, install Kyverno and import the policies as follows:

**Install Kyverno**

````sh
kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
````
<small>[(installation docs)](../documentation/installation.md)</small>

**Apply Kyverno Policies**

````bash

kubectl create -f https://github.com/nirmata/kyverno/raw/master/samples/best_practices/

kubectl create -f https://github.com/nirmata/kyverno/raw/master/samples/more/

````

The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.

## Best Practice Policies

These policies are highly recommended.

1. [Run as non-root user](RunAsNonRootUser.md)
2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md)
3. [Require Read-only root filesystem](RequireReadOnlyFS.md)
4. [Disallow use of host filesystem](DisallowHostFS.md)
5. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
6. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
7. [Disallow unknown image registries](DisallowUnknownRegistries.md)
8. [Disallow latest image tag](DisallowLatestTag.md)
9. [Disallow use of default namespace](DisallowDefaultNamespace.md)
10. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)
11. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
12. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
13. [Default deny all ingress traffic](DefaultDenyAllIngress.md)


## Additional Policies

The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes. 

14. [Limit use of `NodePort` services](LimitNodePort.md)
15. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
16. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
17. [Limit Kernel parameter access](ConfigureKernelParmeters.md)
reorganize samples 2019-10-23 14:06:03 -07:00			`# Sample Policies`
inital commit, add samples folder 2019-10-08 18:40:15 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`Sample policies are designed to be applied to your Kubernetes clusters with minimal changes. To apply these policies to your cluster, install Kyverno and import the policies as follows:`
inital commit, add samples folder 2019-10-08 18:40:15 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`Install Kyverno`
update readme 2019-10-10 11:53:51 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			````sh
			`kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml`
			````
update text 2019-10-23 14:26:29 -07:00			`<small>[(installation docs)](../documentation/installation.md)</small>`
reformat additional policies 2019-10-09 18:40:52 -07:00
update text 2019-10-23 14:26:29 -07:00			`Apply Kyverno Policies`
update descriptions 2019-10-14 12:27:17 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			````bash
update text 2019-10-23 14:26:29 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`kubectl create -f https://github.com/nirmata/kyverno/raw/master/samples/best_practices/`
update text 2019-10-23 14:26:29 -07:00
			`kubectl create -f https://github.com/nirmata/kyverno/raw/master/samples/more/`

reorganize samples 2019-10-23 14:06:03 -07:00			````
reformat additional policies 2019-10-09 18:40:52 -07:00
update text 2019-10-23 14:26:29 -07:00			The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.

reorganize samples 2019-10-23 14:06:03 -07:00			`## Best Practice Policies`
update descriptions 2019-10-14 12:27:17 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`These policies are highly recommended.`
reformat additional policies 2019-10-09 18:40:52 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`1. [Run as non-root user](RunAsNonRootUser.md)`
update descriptions... 2019-10-23 15:36:37 -07:00			`2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md)`
reorganize samples 2019-10-23 14:06:03 -07:00			`3. [Require Read-only root filesystem](RequireReadOnlyFS.md)`
			`4. [Disallow use of host filesystem](DisallowHostFS.md)`
			5. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
			6. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
			`7. [Disallow unknown image registries](DisallowUnknownRegistries.md)`
			`8. [Disallow latest image tag](DisallowLatestTag.md)`
			`9. [Disallow use of default namespace](DisallowDefaultNamespace.md)`
			`10. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)`
			`11. [Require pod resource requests and limits](RequirePodRequestsLimits.md)`
update descriptions... 2019-10-23 15:36:37 -07:00			12. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
reorganize samples 2019-10-23 14:06:03 -07:00			`13. [Default deny all ingress traffic](DefaultDenyAllIngress.md)`
update path in readme 2019-10-14 14:06:20 -07:00
reformat additional policies 2019-10-09 18:40:52 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`## Additional Policies`
reformat additional policies 2019-10-09 18:40:52 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes.`
update path in readme 2019-10-14 14:06:20 -07:00
update references 2019-10-23 16:02:28 -07:00			14. [Limit use of `NodePort` services](LimitNodePort.md)
reorganize samples 2019-10-23 14:06:03 -07:00			`15. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)`
			`16. [Configure Linux Capabilities](AssignLinuxCapabilities.md)`
			`17. [Limit Kernel parameter access](ConfigureKernelParmeters.md)`
update path in readme 2019-10-14 14:06:20 -07:00