kyverno/samples/README.md

# Sample Policies

Sample policies are designed to be applied to your Kubernetes clusters with minimal changes.

The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.

## Best Practice Policies

These policies are highly recommended.

1. [Disallow root user](DisallowRootUser.md)
1. [Disallow privileged containers](DisallowPrivilegedContainers.md)
1. [Disallow new capabilities](DisallowNewCapabilities.md)
1. [Disallow kernel parameter changes](DisallowSysctls.md)
1. [Disallow use of bind mounts (`hostPath` volumes)](DisallowBindMounts.md)
1. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
1. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
1. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
1. [Disallow use of default namespace](DisallowDefaultNamespace.md)
1. [Disallow latest image tag](DisallowLatestTag.md)
1. [Disallow Helm Tiller](DisallowHelmTiller.md)
1. [Require read-only root filesystem](RequireReadOnlyRootFS.md)
1. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
1. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
1. [Add default network policy](AddDefaultNetworkPolicy.md)
1. [Add namespace quotas](AddNamespaceQuotas.md)
1. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)

## Additional Policies

These policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments.

1. [Restrict image registries](RestrictImageRegistries.md)
1. [Restrict `NodePort` services](RestrictNodePort.md)
1. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md)
1. [Restrict ingress classes](RestrictIngressClasses.md)
1. [Restrict User Group](CheckUserGroup.md)
1. [Require pods are labeled](RequireLabels.md)
1. [Require pods have certain labels](RequireCertainLabels.md)
1. [Require Deployments have multiple replicas](RequireDeploymentsHaveReplicas.md)

## Applying the sample policies

To apply these policies to your cluster, install Kyverno and import the policies as follows:

### Install Kyverno**

````sh
kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml
````

<small>[(installation docs)](../documentation/installation.md)</small>

### Apply Kyverno Policies**

To start applying policies to your cluster, first clone the repo:

````bash
git clone https://github.com/kyverno/kyverno.git
cd kyverno
````

Import best practices from [here](best_pratices):

````bash
kubectl create -f samples/best_practices
````

Import additional policies from [here](more):

````bash
kubectl create -f samples/more/
````
reorganize samples 2019-10-23 14:06:03 -07:00			`# Sample Policies`
inital commit, add samples folder 2019-10-08 18:40:15 -07:00
linting, MD updates 2020-11-12 12:32:10 -05:00			`Sample policies are designed to be applied to your Kubernetes clusters with minimal changes.`
reformat additional policies 2019-10-09 18:40:52 -07:00
update text 2019-10-23 14:26:29 -07:00			The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.

reorganize samples 2019-10-23 14:06:03 -07:00			`## Best Practice Policies`
update descriptions 2019-10-14 12:27:17 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`These policies are highly recommended.`
reformat additional policies 2019-10-09 18:40:52 -07:00
update disallow_root_user 2019-11-08 19:25:43 -08:00			`1. [Disallow root user](DisallowRootUser.md)`
update README with new policies 2020-11-11 20:30:59 -05:00			`1. [Disallow privileged containers](DisallowPrivilegedContainers.md)`
			`1. [Disallow new capabilities](DisallowNewCapabilities.md)`
			`1. [Disallow kernel parameter changes](DisallowSysctls.md)`
			1. [Disallow use of bind mounts (`hostPath` volumes)](DisallowBindMounts.md)
			`1. [Disallow docker socket bind mount](DisallowDockerSockMount.md)`
			1. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
			1. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
			`1. [Disallow use of default namespace](DisallowDefaultNamespace.md)`
			`1. [Disallow latest image tag](DisallowLatestTag.md)`
			`1. [Disallow Helm Tiller](DisallowHelmTiller.md)`
			`1. [Require read-only root filesystem](RequireReadOnlyRootFS.md)`
			`1. [Require pod resource requests and limits](RequirePodRequestsLimits.md)`
			1. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
			`1. [Add default network policy](AddDefaultNetworkPolicy.md)`
			`1. [Add namespace quotas](AddNamespaceQuotas.md)`
			1. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
reformat additional policies 2019-10-09 18:40:52 -07:00
reorganize samples 2019-10-23 14:06:03 -07:00			`## Additional Policies`
reformat additional policies 2019-10-09 18:40:52 -07:00
linting, MD updates 2020-11-12 12:32:10 -05:00			`These policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments.`
update path in readme 2019-10-14 14:06:20 -07:00
update README with new policies 2020-11-11 20:30:59 -05:00			`1. [Restrict image registries](RestrictImageRegistries.md)`
			1. [Restrict `NodePort` services](RestrictNodePort.md)
			`1. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md)`
			`1. [Restrict ingress classes](RestrictIngressClasses.md)`
			`1. [Restrict User Group](CheckUserGroup.md)`
			`1. [Require pods are labeled](RequireLabels.md)`
			`1. [Require pods have certain labels](RequireCertainLabels.md)`
add sample policy for deployments 2020-11-12 12:31:03 -05:00			`1. [Require Deployments have multiple replicas](RequireDeploymentsHaveReplicas.md)`
update sections 2019-11-11 18:10:34 -08:00
			`## Applying the sample policies`

			`To apply these policies to your cluster, install Kyverno and import the policies as follows:`

linting, MD updates 2020-11-12 12:32:10 -05:00			`### Install Kyverno**`
update sections 2019-11-11 18:10:34 -08:00
			````sh
update with release, typos 2020-11-12 18:23:20 -05:00			`kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml`
update sections 2019-11-11 18:10:34 -08:00			````
linting, MD updates 2020-11-12 12:32:10 -05:00
update sections 2019-11-11 18:10:34 -08:00			`<small>[(installation docs)](../documentation/installation.md)</small>`

linting, MD updates 2020-11-12 12:32:10 -05:00			`### Apply Kyverno Policies**`
update sections 2019-11-11 18:10:34 -08:00
			`To start applying policies to your cluster, first clone the repo:`

			````bash
migrate repo 2020-10-07 15:09:52 -07:00			`git clone https://github.com/kyverno/kyverno.git`
update sections 2019-11-11 18:10:34 -08:00			`cd kyverno`
			````

update with release, typos 2020-11-12 18:23:20 -05:00			`Import best practices from [here](best_pratices):`
update sections 2019-11-11 18:10:34 -08:00
			````bash
			`kubectl create -f samples/best_practices`
			````

update with release, typos 2020-11-12 18:23:20 -05:00			`Import additional policies from [here](more):`
update sections 2019-11-11 18:10:34 -08:00
			````bash
			`kubectl create -f samples/more/`
			````