mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-10 01:46:55 +00:00
24 lines
1.1 KiB
Markdown
24 lines
1.1 KiB
Markdown
|
# Best Practice Policies
|
||
|
|
|
||
|
|
This folder contains recommended policies
|
||
|
|
|
||
|
|
| Best practice | Policy
|
||
|
|
|------------------------------------------------|-----------------------------------------------------------------------|-
|
||
|
|
| Run as non-root user |
|
||
|
|
| Disallow privileged and privilege escalation |
|
||
|
|
| Disallow use of host networking and ports |
|
||
|
|
| Disallow use of host filesystem |
|
||
|
|
| Disallow hostPOD and hostIPC |
|
||
|
|
| Require read only root filesystem |
|
||
|
|
| Disallow node ports |
|
||
|
|
| Allow trusted registries |
|
||
|
|
| Require resource requests and limits | [container_resources.yaml](container_resources.yaml)
|
||
|
|
| Require pod liveness and readiness probes |
|
||
|
|
| Require an image tag |
|
||
|
|
| Disallow latest tag and pull IfNotPresent |
|
||
|
|
| Require a namespace (disallow default) |
|
||
|
|
| Disallow use of kube-system namespace |
|
||
|
|
| Prevent mounting of service account secret |
|
||
|
|
| Require a default network policy |
|
||
|
|
| Require namespace quotas and limit ranges |
|