mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 10:28:36 +00:00
Code Activity

Allow kyverno-policies to have preconditions defined (#3606)

Browse source 
* Allow kyverno-policies to have preconditions defined

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Fix docs

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
This commit is contained in:
treydock 2022-04-18 13:59:47 -04:00 committed by GitHub
parent a0d3f31851
commit 1cfc80d32a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 112 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
charts/kyverno-policies/README.md
View file

@ -70,6 +70,7 @@ The command removes all the Kubernetes components associated with the chart and
| validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
| validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
| policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
| policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |
| nameOverride | string | `nil` | Name override. |
| customLabels | object | `{}` | Additional labels. |
| background | bool | `true` | Policies background mode |

14
charts/kyverno-policies/ci/test-preconditions.yaml Normal file
View file

@ -0,0 +1,14 @@
podSecurityStandard: restricted
includeOtherPolicies:
- require-non-root-groups
policyPreconditions:
require-run-as-non-root-user:
any:
- key: "{{ request.object.metadata.name }}"
operator: NotEquals
value: "dcgm-exporter*"
adding-capabilities-strict:
any:
- key: "{{ request.object.metadata.name }}"
operator: NotEquals
value: "dcgm-exporter*"

4
charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
View file

@ -34,6 +34,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,

4
charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
View file

@ -35,6 +35,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,

4
charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
View file

@ -34,6 +34,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.

4
charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
View file

@ -34,6 +34,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort

4
charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
View file

@ -35,6 +35,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,

4
charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
View file

@ -33,6 +33,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged

4
charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
View file

@ -35,6 +35,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Changing the proc mount from the default is not allowed. The fields

8
charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
View file

@ -33,6 +33,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with merge (index .Values "policyPreconditions" "selinux-type") (index .Values "policyPreconditions" $name) }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Setting the SELinux type is restricted. The fields
@ -66,6 +70,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with merge (index .Values "policyPreconditions" "selinux-user-role") (index .Values "policyPreconditions" $name) }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Setting the SELinux user or role is forbidden. The fields

4
charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
View file

@ -36,6 +36,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Specifying other AppArmor profiles is disallowed. The annotation

4
charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
View file

@ -34,6 +34,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Use of custom Seccomp profiles is disallowed. The fields

4
charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
View file

@ -37,6 +37,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Setting additional sysctls above the allowed type is disallowed.

8
charts/kyverno-policies/templates/other/require-non-root-groups.yaml
View file

@ -35,6 +35,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with merge (index .Values "policyPreconditions" "check-runasgroup") (index .Values "policyPreconditions" $name) }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Running with root group IDs is disallowed. The fields
@ -75,6 +79,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with merge (index .Values "policyPreconditions" "check-supplementalgroups") (index .Values "policyPreconditions" $name) }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Containers cannot run with a root primary or supplementary GID. The field

14
charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
View file

@ -35,11 +35,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with merge (index .Values "policyPreconditions" "require-drop-all") (index .Values "policyPreconditions" $name) }}
preconditions:
all:
- key: "{{`{{ request.operation }}`}}"
operator: NotEquals
value: DELETE
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Containers must drop `ALL` capabilities.
@ -61,11 +60,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with merge (index .Values "policyPreconditions" "adding-capabilities-strict") (index .Values "policyPreconditions" $name) }}
preconditions:
all:
- key: "{{`{{ request.operation }}`}}"
operator: NotEquals
value: DELETE
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Any capabilities added other than NET_BIND_SERVICE are disallowed.

4
charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
View file

@ -33,6 +33,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Privilege escalation is disallowed. The fields

4
charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
View file

@ -33,6 +33,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Running as root is not allowed. The fields spec.securityContext.runAsUser,

4
charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
View file

@ -34,6 +34,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot

4
charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
View file

@ -36,6 +36,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Use of custom Seccomp profiles is disallowed. The fields

4
charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
View file

@ -36,6 +36,10 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Only the following types of volumes may be used: configMap, csi, downwardAPI,

15
charts/kyverno-policies/values.yaml
View file

@ -48,6 +48,21 @@ policyExclude: {}
# - Pod
# namespaces:
# - kube-system
# -- Add preconditions to individual policies.
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map.
policyPreconditions: {}
# # Exclude resources from individual policies
# require-run-as-non-root-user:
# any:
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
# # Policies with multiple rules can have individual rules excluded
# adding-capabilities-strict:
# any:
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
# -- Name override.
nameOverride: