From 20736e5e812d68c7081e12087be01fb497b4d6d0 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 10 Nov 2019 15:50:18 -0800
Subject: [PATCH] update disallow_default_namespace and
disallow_host_network_port and disallow_host_pid_ipc
---
pkg/testrunner/testrunner_test.go | 6 +++---
samples/DisallowDefaultNamespace.md | 10 +++++-----
samples/DisallowHostPIDIPC.md | 8 ++++----
samples/README.md | 16 ++++++++--------
.../disallow_default_namespace.yaml | 19 +++++++++++--------
.../disallow_host_network_port.yaml | 10 +++-------
...ostipc.yaml => disallow_host_pid_ipc.yaml} | 4 ++--
...e.yaml => disallow_default_namespace.yaml} | 8 +++-----
...ostipc.yaml => disallow_host_pid_ipc.yaml} | 8 ++++----
9 files changed, 43 insertions(+), 46 deletions(-)
rename samples/best_practices/{disallow_hostpid_hostipc.yaml => disallow_host_pid_ipc.yaml} (92%)
rename test/scenarios/samples/best_practices/{scenario_validate_disallow_default_namespace.yaml => disallow_default_namespace.yaml} (61%)
rename test/scenarios/samples/best_practices/{scenario_validate_disallow_hostpid_hostipc.yaml => disallow_host_pid_ipc.yaml} (64%)
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index bed584cee7..6f42c68f8c 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -41,15 +41,15 @@ func Test_validate_disallow_automoutingapicred_pass(t *testing.T) {
}
func Test_validate_disallow_default_namespace(t *testing.T) {
- testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml")
+ testScenario(t, "test/scenarios/samples/best_practices/disallow_default_namespace.yaml")
}
func Test_validate_host_network_port(t *testing.T) {
testScenario(t, "test/scenarios/samples/best_practices/disallow_host_network_port.yaml")
}
-func Test_validate_hostPID_hostIPC(t *testing.T) {
- testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml")
+func Test_validate_host_PID_IPC(t *testing.T) {
+ testScenario(t, "test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml")
}
func Test_validate_ro_rootfs(t *testing.T) {
diff --git a/samples/DisallowDefaultNamespace.md b/samples/DisallowDefaultNamespace.md
index a15719678d..03d1845a83 100644
--- a/samples/DisallowDefaultNamespace.md
+++ b/samples/DisallowDefaultNamespace.md
@@ -1,6 +1,6 @@
# Disallow use of default namespace
-Kubernetes namespaces provide a way to segment and isolate cluster resources across multiple applictaions and users. It is recommended that each workload be isolated in its own namespace and that use of the default namespace be not allowed.
+Kubernetes namespaces are an optional feature that provide a way to segment and isolate cluster resources across multiple applications and users. As a best practice, workloads should be isolated with namespaces. Namespaces should be required and the default (empty) namespace should not be used.
## Policy YAML
@@ -10,20 +10,20 @@ Kubernetes namespaces provide a way to segment and isolate cluster resources acr
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
- name: validate-namespace
+ name: disallow-default-namespace
spec:
rules:
- - name: check-default-namespace
+ - name: validate-namespace
match:
resources:
kinds:
- Pod
validate:
- message: "Using 'default' namespace is restricted"
+ message: "Using 'default' namespace is not allowed"
pattern:
metadata:
namespace: "!default"
- - name: check-namespace-exist
+ - name: require-namespace
match:
resources:
kinds:
diff --git a/samples/DisallowHostPIDIPC.md b/samples/DisallowHostPIDIPC.md
index 6d68e06400..6820a332e4 100644
--- a/samples/DisallowHostPIDIPC.md
+++ b/samples/DisallowHostPIDIPC.md
@@ -6,13 +6,13 @@ To avoid pod container from having visibility to host process space, validate th
## Policy YAML
-[disallow_hostpid_hostipc.yaml](best_practices/disallow_hostpid_hostipc.yaml)
+[disallow_host_pid_ipc.yaml](best_practices/disallow_host_pid_ipc.yaml)
````yaml
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
- name: validate-host-pid-ipc
+ name: disallow-host-pid-ipc
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process
@@ -20,9 +20,9 @@ metadata:
the container process to communicate with processes on the host. To avoid pod container from
having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
spec:
- validationFailureAction: enforce
+ validationFailureAction: audit
rules:
- - name: validate-host-pid-ipc
+ - name: validate-hostPID-hostIPC
match:
resources:
kinds:
diff --git a/samples/README.md b/samples/README.md
index 6adc53e290..6b62ab8b83 100644
--- a/samples/README.md
+++ b/samples/README.md
@@ -44,14 +44,14 @@ These policies are highly recommended.
6. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
8. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
-9. [Disallow unknown image registries](DisallowUnknownRegistries.md)
+9. [Disallow use of default namespace](DisallowDefaultNamespace.md)
10. [Disallow latest image tag](DisallowLatestTag.md)
-11. [Disallow use of default namespace](DisallowDefaultNamespace.md)
-12. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)
-13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
-14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
-15. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
-16. [Disallow Helm Tiller](DisallowHelmTiller.md)
+11. [Disallow Helm Tiller](DisallowHelmTiller.md)
+12. [Restrict image registries](DisallowUnknownRegistries.md)
+13. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)
+14. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
+15. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
+16. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
## Additional Policies
@@ -62,4 +62,4 @@ The policies provide additional best practices and are worthy of close considera
19. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
20. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
21. [Limit Kernel parameter access](ConfigureKernelParmeters.md)
-22. [Restrict ingress class](KnownIngressClass.md)
+22. [Restrict ingress classes](KnownIngressClass.md)
diff --git a/samples/best_practices/disallow_default_namespace.yaml b/samples/best_practices/disallow_default_namespace.yaml
index 03043d7940..4e334e4770 100644
--- a/samples/best_practices/disallow_default_namespace.yaml
+++ b/samples/best_practices/disallow_default_namespace.yaml
@@ -1,24 +1,26 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
- name: validate-namespace
- annotations:
- policies.kyverno.io/category: Workload Isolation
- policies.kyverno.io/description: With many users spread across multiple teams, restricting
- use of the default namespace and subdividing the cluster by namesoace isolates workloads.
+ name: disallow-default-namespace
+ policies.kyverno.io/category: Isolation
+ policies.kyverno.io/description: Kubernetes namespaces are an optional feature
+ that provide a way to segment and isolate cluster resources across multiple
+ applications and users. As a best practice, workloads should be isolated with
+ namespaces. Namespaces should be required and the default (empty) namespace
+ should not be used.
spec:
rules:
- - name: check-default-namespace
+ - name: validate-namespace
match:
resources:
kinds:
- Pod
validate:
- message: "Using 'default' namespace is restricted"
+ message: "Using 'default' namespace is not allowed"
pattern:
metadata:
namespace: "!default"
- - name: check-namespace-exist
+ - name: require-namespace
match:
resources:
kinds:
@@ -28,3 +30,4 @@ spec:
pattern:
metadata:
namespace: "?*"
+
diff --git a/samples/best_practices/disallow_host_network_port.yaml b/samples/best_practices/disallow_host_network_port.yaml
index e375eece68..5348f56a70 100644
--- a/samples/best_practices/disallow_host_network_port.yaml
+++ b/samples/best_practices/disallow_host_network_port.yaml
@@ -1,11 +1,7 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
- name: validate-host-network-hostport
- annotations:
- policies.kyverno.io/category: Security
- policies.kyverno.io/description: Using 'hostPort' and 'hostNetwork' allows pods to share
- the host network stack, allowing potential snooping of network traffic from an application pod.
+ name: disallow-host-network-port
spec:
rules:
- name: validate-host-network-port
@@ -14,11 +10,11 @@ spec:
kinds:
- Pod
validate:
- message: "Defining hostNetwork and hostPort are not allowed"
+ message: "Using host networking is not allowed"
pattern:
spec:
(hostNetwork): false
containers:
- name: "*"
ports:
- - hostPort: null
+ - hostPort: null
\ No newline at end of file
diff --git a/samples/best_practices/disallow_hostpid_hostipc.yaml b/samples/best_practices/disallow_host_pid_ipc.yaml
similarity index 92%
rename from samples/best_practices/disallow_hostpid_hostipc.yaml
rename to samples/best_practices/disallow_host_pid_ipc.yaml
index 545d72fafd..b6d68389cf 100644
--- a/samples/best_practices/disallow_hostpid_hostipc.yaml
+++ b/samples/best_practices/disallow_host_pid_ipc.yaml
@@ -1,7 +1,7 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
- name: validate-host-pid-ipc
+ name: disallow-host-pid-ipc
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process
@@ -11,7 +11,7 @@ metadata:
spec:
validationFailureAction: audit
rules:
- - name: validate-host-pid-ipc
+ - name: validate-hostPID-hostIPC
match:
resources:
kinds:
diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml b/test/scenarios/samples/best_practices/disallow_default_namespace.yaml
similarity index 61%
rename from test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml
rename to test/scenarios/samples/best_practices/disallow_default_namespace.yaml
index 682d8363cc..fe44d3389d 100644
--- a/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml
+++ b/test/scenarios/samples/best_practices/disallow_default_namespace.yaml
@@ -5,7 +5,7 @@ input:
expected:
validation:
policyresponse:
- policy: validate-namespace
+ policy: disallow-default-namespace
resource:
kind: Pod
apiVersion: v1
@@ -14,12 +14,10 @@ expected:
namespace: 'default'
name: myapp-pod
rules:
- - name: check-default-namespace
+ - name: validate-namespace
type: Validation
- message: "Validation error: Using 'default' namespace is restricted\nValidation rule 'check-default-namespace' failed at path '/metadata/namespace/'."
success: false
- - name: check-namespace-exist
+ - name: require-namespace
type: Validation
- message: "Validation rule 'check-namespace-exist' succeeded."
success: true
diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml b/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml
similarity index 64%
rename from test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml
rename to test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml
index 9d57910743..14591d60e5 100644
--- a/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml
+++ b/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml
@@ -1,17 +1,17 @@
# file path relative to project root
input:
- policy: samples/best_practices/disallow_hostpid_hostipc.yaml
+ policy: samples/best_practices/disallow_host_pid_ipc.yaml
resource: test/resources/disallow_hostpid_hostipc.yaml
expected:
validation:
policyresponse:
- policy: validate-host-pid-ipc
+ policy: disallow-host-pid-ipc
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: "nginx-with-hostpid"
rules:
- - name: validate-host-pid-ipc
+ - name: validate-hostPID-hostIPC
type: Validation
- success: false
\ No newline at end of file
+ success: false
\ No newline at end of file