mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
update api in samples/
This commit is contained in:
Shuting Zhao
parent
eab9609c6a
commit
051eba058f
65 changed files with 65 additions and 65 deletions
|
|
@ -9,7 +9,7 @@ A default `NetworkPolicy` should be configured for each namespace to default den
|
|||
[add_network_policy.yaml](best_practices/add_network_policy.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-networkpolicy
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ To limit the number of resources like CPU and memory, as well as objects that ma
|
|||
[add_ns_quota.yaml](best_practices/add_ns_quota.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-ns-quota
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ This policy matches and mutates pods with `emptyDir` and `hostPath` volumes, to
|
|||
[add_safe_to_evict_annotation.yaml](best_practices/add_safe_to_evict.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: "kyverno.io/v1alpha1"
|
||||
apiVersion: "kyverno.io/v1"
|
||||
kind: "ClusterPolicy"
|
||||
metadata:
|
||||
name: "add-safe-to-evict"
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ All processes inside the pod can be made to run with specific user and groupID b
|
|||
[policy_validate_user_group_fsgroup_id.yaml](more/policy_validate_user_group_fsgroup_id.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-userid-groupid-fsgroup
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ The volume of type `hostPath` allows pods to use host bind mounts (i.e. director
|
|||
[disallow_bind_mounts.yaml](best_practices/disallow_bind_mounts.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: "kyverno.io/v1alpha1"
|
||||
apiVersion: "kyverno.io/v1"
|
||||
kind: "ClusterPolicy"
|
||||
metadata:
|
||||
name: "disallow-bind-mounts"
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ Kubernetes namespaces are an optional feature that provide a way to segment and
|
|||
[disallow_default_namespace.yaml](best_practices/disallow_default_namespace.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-default-namespace
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ to manage containers outside of Kubernetes, and hence should not be allowed.
|
|||
[disallow_docker_sock_mount.yaml](best_practices/disallow_docker_sock_mount.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-docker-sock-mount
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ Tiller has known security challenges. It requires adminstrative privileges and a
|
|||
[disallow_helm_tiller.yaml](best_practices/disallow_helm_tiller.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-helm-tiller
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ Using `hostPort` and `hostNetwork` allows pods to share the host networking stac
|
|||
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-host-network-port
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ To avoid pod container from having visibility to host process space, validate th
|
|||
[disallow_host_pid_ipc.yaml](best_practices/disallow_host_pid_ipc.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-host-pid-ipc
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ The `:latest` tag is mutable and can lead to unexpected errors if the upstream i
|
|||
|
||||
|
||||
````yaml
|
||||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-latest-tag
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ default capabilities.
|
|||
[disallow_new_capabilities.yaml](best_practices/disallow_new_capabilities.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-new-capabilities
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ To disallow privileged containers and privilege escalation, run pod containers w
|
|||
[disallow_privileged.yaml](best_practices/disallow_privileged.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-privileged
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ By default, all processes in a container run as the root user (uid 0). To preven
|
|||
[disallow_root_user.yaml](best_practices/disallow_root_user.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-root-user
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ The Sysctl interface allows modifications to kernel parameters at runtime. In a
|
|||
[disallow_sysctls.yaml](best_practices/disallow_sysctls.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-sysctls
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ For each pod, a periodic `livenessProbe` is performed by the kubelet to determin
|
|||
[require_probes.yaml](best_practices/require_probes.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-pod-probes
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ If a namespace level request or limit is specified, defaults will automatically
|
|||
[require_pod_requests_limits.yaml](best_practices/require_pod_requests_limits.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-pod-requests-limits
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ A read-only root file system helps to enforce an immutable infrastructure strate
|
|||
|
||||
|
||||
````yaml
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-ro-rootfs
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ Kubernetes automatically mounts service account credentials in each pod. The ser
|
|||
[restrict_automount_sa_token.yaml](more/restrict_automount_sa_token.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: restrict-automount-sa-token
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ You can customize this policy to allow image registries that you trust.
|
|||
[restrict_image_registries.yaml](more/restrict_image_registries.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: restrict-image-registries
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ It can be useful to restrict Ingress resources to a set of known ingress classes
|
|||
[restrict_ingress_classes.yaml](more/restrict_ingress_classes.yaml)
|
||||
|
||||
````yaml
|
||||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: restrict-ingress-classes
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ Although NodePort services can be useful, their use should be limited to service
|
|||
|
||||
````yaml
|
||||
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: restrict-node-port
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-networkpolicy
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-ns-quota
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: "kyverno.io/v1alpha1"
|
||||
apiVersion: "kyverno.io/v1"
|
||||
kind: "ClusterPolicy"
|
||||
metadata:
|
||||
name: "add-safe-to-evict"
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: "kyverno.io/v1alpha1"
|
||||
apiVersion: "kyverno.io/v1"
|
||||
kind: "ClusterPolicy"
|
||||
metadata:
|
||||
name: "disallow-bind-mounts"
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-default-namespace
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-docker-sock-mount
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-helm-tiller
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: host-network-port
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-host-pid-ipc
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-latest-tag
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-new-capabilities
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-privileged
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-root-user
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-sysctls
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-pod-requests-limits
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-pod-probes
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-ro-rootfs
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: restrict-automount-sa-token
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: restrict-image-registries
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: restrict-ingress-classes
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: restrict-nodeport
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name : policy-deployment
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name : policy-endpoints
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-pod-disable-automoutingapicred
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: policy-qos
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name : policy-cm
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: query1
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: query1
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-cpu-memory
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-host-path
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: image-pull-policy
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name : validation-example2
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name : validation-example2
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-node-port
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name : check-non-root
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name: check-probe-exists
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name: check-probe-intervals
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-registries
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-default-proc-mount
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-disallow-default-serviceaccount
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name: check-probe-exists
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-selinux-options
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-volumes-whitelist
|
||||
|
|
|
|||
Loading…
Reference in a new issue