kyverno/charts/kyverno-policies/README.md.gotmpl

{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.description" . }}

{{ template "chart.badgesSection" . }}

## About

This chart contains Kyverno's implementation of the Kubernetes Pod Security Standards (PSS) as documented at https://kubernetes.io/docs/concepts/security/pod-security-standards/ and are a Helm packaged version of those found at https://github.com/kyverno/policies/tree/main/pod-security. The goal of the PSS controls is to provide a good starting point for general Kubernetes cluster operational security. These controls are broken down into two categories, Baseline and Restricted. Baseline policies implement the most basic of Pod security controls while Restricted implements more strict controls. Restricted is cumulative and encompasses those listed in Baseline.

The following policies are included in each profile.

**Baseline**

* disallow-capabilities
* disallow-host-namespaces
* disallow-host-path
* disallow-host-ports
* disallow-host-process
* disallow-privileged-containers
* disallow-proc-mount
* disallow-selinux
* restrict-apparmor-profiles
* restrict-seccomp
* restrict-sysctls

**Restricted**

* disallow-capabilities-strict
* disallow-privilege-escalation
* require-run-as-non-root-user
* require-run-as-nonroot
* restrict-seccomp-strict
* restrict-volume-types

An additional policy "require-non-root-groups" is included in an `other` group as this was previously included in the official PSS controls but since removed.

For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security.

## Deploy custom policies
If you have custom policies you would like to deploy as part of the Helm release, provide their manifests in `.Values.customPolicies`:
````yaml
customPolicies:
  - apiVersion: kyverno.io/v1
    kind: ClusterPolicy
    metadata: # metadata
    spec: # spec
````

## Installing the Chart

These PSS policies presently have a minimum requirement of Kyverno 1.6.0.

```console
## Add the Kyverno Helm repository
$ helm repo add kyverno https://kyverno.github.io/kyverno/

## Install the Kyverno Policies Helm chart
$ helm install kyverno-policies --namespace kyverno kyverno/kyverno-policies
```

## Uninstalling the Chart

To uninstall/delete the `kyverno-policies` chart:

```console
$ helm delete -n kyverno kyverno-policies
```

The command removes all the Kubernetes components associated with the chart and deletes the release.

{{ template "chart.valuesSection" . }}

{{ template "chart.sourcesSection" . }}

{{ template "chart.requirementsSection" . }}

{{ template "chart.maintainersSection" . }}

## Changes

### v2.3.4

* Do not evaluate `foreach` policies on DELETE

### v2.3.3

* Add policyPreconditions value to allow policies and rules to have preconditions added

{{ template "helm-docs.versionFooter" . }}
feat: gen kyverno-policies helm chart docs (#3301) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-02-25 16:22:00 +00:00			`{{ template "chart.header" . }}`
			`{{ template "chart.deprecationWarning" . }}`
			`{{ template "chart.description" . }}`

			`{{ template "chart.badgesSection" . }}`

			`## About`

			This chart contains Kyverno's implementation of the Kubernetes Pod Security Standards (PSS) as documented at https://kubernetes.io/docs/concepts/security/pod-security-standards/ and are a Helm packaged version of those found at https://github.com/kyverno/policies/tree/main/pod-security. The goal of the PSS controls is to provide a good starting point for general Kubernetes cluster operational security. These controls are broken down into two categories, Baseline and Restricted. Baseline policies implement the most basic of Pod security controls while Restricted implements more strict controls. Restricted is cumulative and encompasses those listed in Baseline.

			`The following policies are included in each profile.`

			`Baseline`

			`* disallow-capabilities`
			`* disallow-host-namespaces`
			`* disallow-host-path`
			`* disallow-host-ports`
			`* disallow-host-process`
			`* disallow-privileged-containers`
			`* disallow-proc-mount`
			`* disallow-selinux`
			`* restrict-apparmor-profiles`
			`* restrict-seccomp`
			`* restrict-sysctls`

			`Restricted`

			`* disallow-capabilities-strict`
			`* disallow-privilege-escalation`
			`* require-run-as-non-root-user`
			`* require-run-as-nonroot`
			`* restrict-seccomp-strict`
			`* restrict-volume-types`

			An additional policy "require-non-root-groups" is included in an `other` group as this was previously included in the official PSS controls but since removed.

			`For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security.`

feat: ability to add custom policies in values file (#10320) * Ability to add custom policies in values file Signed-off-by: Thibaut Vanderhaegen <thibaut.vanderhaegen@linkurio.us> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: treydock <treydock@gmail.com> 2024-05-29 16:24:36 +00:00			`## Deploy custom policies`
			If you have custom policies you would like to deploy as part of the Helm release, provide their manifests in `.Values.customPolicies`:
			````yaml
			`customPolicies:`
			`- apiVersion: kyverno.io/v1`
			`kind: ClusterPolicy`
			`metadata: # metadata`
			`spec: # spec`
			````

feat: gen kyverno-policies helm chart docs (#3301) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-02-25 16:22:00 +00:00			`## Installing the Chart`

			`These PSS policies presently have a minimum requirement of Kyverno 1.6.0.`

			```console
			`## Add the Kyverno Helm repository`
			`$ helm repo add kyverno https://kyverno.github.io/kyverno/`

			`## Install the Kyverno Policies Helm chart`
			`$ helm install kyverno-policies --namespace kyverno kyverno/kyverno-policies`
			```

			`## Uninstalling the Chart`

			To uninstall/delete the `kyverno-policies` chart:

			```console
			`$ helm delete -n kyverno kyverno-policies`
			```

			`The command removes all the Kubernetes components associated with the chart and deletes the release.`

			`{{ template "chart.valuesSection" . }}`

			`{{ template "chart.sourcesSection" . }}`

			`{{ template "chart.requirementsSection" . }}`

			`{{ template "chart.maintainersSection" . }}`

Cherry-pick release-1.6 Helm changes (#3689) * Support releasing kyverno and kyverno-policies chart separately (#3672) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Add DELETE precondition back (#3657) * Add DELETE precondition back Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Add another example and test for 'any' Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com> 2022-04-27 03:52:45 +00:00			`## Changes`

			`### v2.3.4`

			* Do not evaluate `foreach` policies on DELETE

			`### v2.3.3`

			`* Add policyPreconditions value to allow policies and rules to have preconditions added`

feat: gen kyverno-policies helm chart docs (#3301) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-02-25 16:22:00 +00:00			`{{ template "helm-docs.versionFooter" . }}`