diff --git a/samples/DisallowHelmTiller.md b/samples/DisallowHelmTiller.md index 4f90314343..df8e949ae3 100644 --- a/samples/DisallowHelmTiller.md +++ b/samples/DisallowHelmTiller.md @@ -4,6 +4,8 @@ Tiller has known security challenges. It requires adminstrative privileges and a ## Policy YAML +[disallow_helm_tiller.yaml](best_practices/disallow_helm_tiller.yaml) + ````yaml apiVersion : kyverno.io/v1alpha1 kind: ClusterPolicy diff --git a/samples/README.md b/samples/README.md index 4af31d38c9..cdb3ea1e6e 100644 --- a/samples/README.md +++ b/samples/README.md @@ -12,7 +12,7 @@ These policies are highly recommended. 2. [Disallow privileged containers](DisallowPrivilegedContainers.md) 3. [Disallow new capabilities](DisallowNewCapabilities.md) 4. [Disallow kernel parameter changes](DisallowSysctls.md) -5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md) +5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowBindMounts.md) 6. [Disallow docker socket bind mount](DisallowDockerSockMount.md) 7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md) 8. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md) @@ -22,13 +22,13 @@ These policies are highly recommended. 12. [Require read-only root filesystem](RequireReadOnlyRootFS.md) 13. [Require pod resource requests and limits](RequirePodRequestsLimits.md) 14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) -15. [Add default network policy](DefaultDenyAllIngress.md) +15. [Add default network policy](AddDefaultNetworkPolicy.md) 16. [Add namespace resource quotas](AddNamespaceResourceQuota.md) 17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md) ## Additional Policies -The policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments. +These policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments. 17. [Restrict image registries](RestrictImageRegistries.md) 18. [Restrict `NodePort` services](RestrictNodePort.md) diff --git a/samples/RestrictAutomountSAToken.md b/samples/RestrictAutomountSAToken.md index 45211b5877..1ebee9bd0e 100644 --- a/samples/RestrictAutomountSAToken.md +++ b/samples/RestrictAutomountSAToken.md @@ -4,7 +4,7 @@ Kubernetes automatically mounts service account credentials in each pod. The ser ## Policy YAML -[restrict_automount_sa_token.yaml](best_practices/restrict_automount_sa_token.yaml) +[restrict_automount_sa_token.yaml](more/restrict_automount_sa_token.yaml) ````yaml apiVersion : kyverno.io/v1alpha1 diff --git a/samples/RestrictImageRegistries.md b/samples/RestrictImageRegistries.md index ca4c5e65ff..46b88d84e5 100644 --- a/samples/RestrictImageRegistries.md +++ b/samples/RestrictImageRegistries.md @@ -6,7 +6,7 @@ You can customize this policy to allow image registries that you trust. ## Policy YAML -[restrict_image_registries.yaml](best_practices/restrict_image_registries.yaml) +[restrict_image_registries.yaml](more/restrict_image_registries.yaml) ````yaml apiVersion : kyverno.io/v1alpha1 diff --git a/samples/RestrictIngressClasses.md b/samples/RestrictIngressClasses.md index 07361448f8..fa8506f810 100644 --- a/samples/RestrictIngressClasses.md +++ b/samples/RestrictIngressClasses.md @@ -4,7 +4,7 @@ It can be useful to restrict Ingress resources to a set of known ingress classes ## Policy YAML -[restrict_ingress_classes.yaml](best_practices/restrict_ingress_classes.yaml) +[restrict_ingress_classes.yaml](more/restrict_ingress_classes.yaml) ````yaml apiVersion : kyverno.io/v1alpha1 diff --git a/samples/RestrictNodePort.md b/samples/RestrictNodePort.md index 9c3cda23de..86234ca3f6 100644 --- a/samples/RestrictNodePort.md +++ b/samples/RestrictNodePort.md @@ -8,7 +8,7 @@ Although NodePort services can be useful, their use should be limited to service ## Policy YAML -[restrict_node_port.yaml](best_practices/restrict_node_port.yaml) +[restrict_node_port.yaml](more/restrict_node_port.yaml) ````yaml diff --git a/samples/best_practices/add_network_policy.yaml b/samples/best_practices/add_network_policy.yaml index d349b5b2bb..16850bcf9e 100644 --- a/samples/best_practices/add_network_policy.yaml +++ b/samples/best_practices/add_network_policy.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: add-networkpolicy annotations: - policies.kyverno.io/category: NetworkPolicy + policies.kyverno.io/category: Workload Management policies.kyverno.io/description: By default, Kubernetes allows communications across all pods within a cluster. Network policies and, a CNI that supports network policies, must be used to restrict communinications. A default NetworkPolicy should be configured diff --git a/samples/best_practices/add_ns_quota.yaml b/samples/best_practices/add_ns_quota.yaml index 395c3b72a8..0813b204c5 100644 --- a/samples/best_practices/add_ns_quota.yaml +++ b/samples/best_practices/add_ns_quota.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: add-ns-quota annotations: - policies.kyverno.io/category: Isolation + policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: To limit the number of objects, as well as the total amount of compute that may be consumed by a single namespace, create a default resource quota for each namespace. diff --git a/samples/best_practices/add_safe_to_evict.yaml b/samples/best_practices/add_safe_to_evict.yaml index ae6a1d2968..c2b3c8d49c 100644 --- a/samples/best_practices/add_safe_to_evict.yaml +++ b/samples/best_practices/add_safe_to_evict.yaml @@ -3,7 +3,7 @@ kind: "ClusterPolicy" metadata: name: "add-safe-to-evict" annotations: - policies.kyverno.io/category: AutoScaling + policies.kyverno.io/category: Workload Management policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods. diff --git a/samples/best_practices/disallow_bind_mounts.yaml b/samples/best_practices/disallow_bind_mounts.yaml index ab2f24e14b..f7d75dd835 100644 --- a/samples/best_practices/disallow_bind_mounts.yaml +++ b/samples/best_practices/disallow_bind_mounts.yaml @@ -3,7 +3,7 @@ kind: "ClusterPolicy" metadata: name: "disallow-bind-mounts" annotations: - policies.kyverno.io/category: Data Protection + policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind mounts (i.e. directories and volumes mounted to a host path) in containers. Using host resources can be used to access shared data or escalate priviliges. Also, this couples pods diff --git a/samples/best_practices/disallow_default_namespace.yaml b/samples/best_practices/disallow_default_namespace.yaml index 4e334e4770..954b9c25e0 100644 --- a/samples/best_practices/disallow_default_namespace.yaml +++ b/samples/best_practices/disallow_default_namespace.yaml @@ -2,7 +2,7 @@ apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: name: disallow-default-namespace - policies.kyverno.io/category: Isolation + policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: Kubernetes namespaces are an optional feature that provide a way to segment and isolate cluster resources across multiple applications and users. As a best practice, workloads should be isolated with diff --git a/samples/best_practices/disallow_host_network_port.yaml b/samples/best_practices/disallow_host_network_port.yaml index 9b9dd169ee..9ec09a75ff 100644 --- a/samples/best_practices/disallow_host_network_port.yaml +++ b/samples/best_practices/disallow_host_network_port.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: host-network-port annotations: - policies.kyverno.io/category: Security + policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: Using 'hostPort' and 'hostNetwork' allows pods to share the host network stack, allowing potential snooping of network traffic from an application pod. spec: diff --git a/samples/best_practices/disallow_host_pid_ipc.yaml b/samples/best_practices/disallow_host_pid_ipc.yaml index b6d68389cf..1354bb8e3f 100644 --- a/samples/best_practices/disallow_host_pid_ipc.yaml +++ b/samples/best_practices/disallow_host_pid_ipc.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: disallow-host-pid-ipc annotations: - policies.kyverno.io/category: Security + policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process on the host, potentially exposing process information. Sharing the host's IPC namespace allows the container process to communicate with processes on the host. To avoid pod container from diff --git a/samples/best_practices/disallow_latest_tag.yaml b/samples/best_practices/disallow_latest_tag.yaml index 4e15999caf..c84983b68f 100644 --- a/samples/best_practices/disallow_latest_tag.yaml +++ b/samples/best_practices/disallow_latest_tag.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag annotations: - policies.kyverno.io/category: Image + policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod. diff --git a/samples/best_practices/require_pod_requests_limits.yaml b/samples/best_practices/require_pod_requests_limits.yaml index e2716bb485..1ad5e2b132 100644 --- a/samples/best_practices/require_pod_requests_limits.yaml +++ b/samples/best_practices/require_pod_requests_limits.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: require-pod-requests-limits annotations: - policies.kyverno.io/category: Resource Quota + policies.kyverno.io/category: Workload Management policies.kyverno.io/description: As application workloads share cluster resources, it is important to limit resources requested and consumed by each pod. It is recommended to require 'resources.requests' and 'resources.limits' per pod. If a namespace level request or limit is diff --git a/samples/best_practices/require_probes.yaml b/samples/best_practices/require_probes.yaml index bdaf9dcee4..097ac91fd1 100644 --- a/samples/best_practices/require_probes.yaml +++ b/samples/best_practices/require_probes.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: require-pod-probes annotations: - policies.kyverno.io/category: Health + policies.kyverno.io/category: Workload Management policies.kyverno.io/description: Liveness and readiness probes need to be configured to correctly manage a pods lifecycle during deployments, restarts, and upgrades. For each pod, a periodic `livenessProbe` is performed by the kubelet to determine if the pod's diff --git a/samples/best_practices/require_ro_rootfs.yaml b/samples/best_practices/require_ro_rootfs.yaml index e5b2507943..01b49ea541 100644 --- a/samples/best_practices/require_ro_rootfs.yaml +++ b/samples/best_practices/require_ro_rootfs.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: require-ro-rootfs annotations: - policies.kyverno.io/category: Security Context + policies.kyverno.io/category: Security policies.kyverno.io/description: A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that p ersists the state. An immutable root filesystem can also prevent malicious binaries from diff --git a/samples/more/restrict_image_registries.yaml b/samples/more/restrict_image_registries.yaml index ac7325711a..8eeb968272 100644 --- a/samples/more/restrict_image_registries.yaml +++ b/samples/more/restrict_image_registries.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: restrict-image-registries annotations: - policies.kyverno.io/category: Image + policies.kyverno.io/category: Workload Management policies.kyverno.io/description: Images from unknown registries may not be scanned and secured. Requiring use of known registries helps reduce threat exposure. spec: diff --git a/samples/more/restrict_ingress_classes.yaml b/samples/more/restrict_ingress_classes.yaml index bd0860ac68..10fd7f9739 100644 --- a/samples/more/restrict_ingress_classes.yaml +++ b/samples/more/restrict_ingress_classes.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: restrict-ingress-classes annotations: - policies.kyverno.io/category: Ingress + policies.kyverno.io/category: Workload Management policies.kyverno.io/description: It can be useful to restrict Ingress resources to a set of known ingress classes that are allowed in the cluster. You can customize this policy to allow ingress classes that are configured in the cluster. diff --git a/samples/more/restrict_node_port.yaml b/samples/more/restrict_node_port.yaml index 33a9382b43..9077b4079c 100644 --- a/samples/more/restrict_node_port.yaml +++ b/samples/more/restrict_node_port.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: restrict-nodeport annotations: - policies.kyverno.io/category: Security + policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: A Kubernetes service of type NodePort uses a host port to receive traffic from any source. A 'NetworkPolicy' resource cannot be used to control traffic to host ports. Although 'NodePort' services can be useful, their use