update categories and links

2024-12-14 11:57:48 +00:00 · 2019-11-11 18:21:16 -08:00 · 2019-11-11 18:21:16 -08:00 · 31d33c5de1
commit 31d33c5de1
parent 8ac71a885c
20 changed files with 23 additions and 21 deletions
--- a/samples/DisallowHelmTiller.md
+++ b/samples/DisallowHelmTiller.md
@ -4,6 +4,8 @@ Tiller has known security challenges. It requires adminstrative privileges and a

 ## Policy YAML 

+[disallow_helm_tiller.yaml](best_practices/disallow_helm_tiller.yaml) 
+
 ````yaml
 apiVersion : kyverno.io/v1alpha1
 kind: ClusterPolicy
--- a/samples/README.md
+++ b/samples/README.md
@ -12,7 +12,7 @@ These policies are highly recommended.
 2. [Disallow privileged containers](DisallowPrivilegedContainers.md)
 3. [Disallow new capabilities](DisallowNewCapabilities.md)
 4. [Disallow kernel parameter changes](DisallowSysctls.md)
-5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)
+5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowBindMounts.md)
 6. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
 7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
 8. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
@ -22,13 +22,13 @@ These policies are highly recommended.
 12. [Require read-only root filesystem](RequireReadOnlyRootFS.md)
 13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
 14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
-15. [Add default network policy](DefaultDenyAllIngress.md)
+15. [Add default network policy](AddDefaultNetworkPolicy.md)
 16. [Add namespace resource quotas](AddNamespaceResourceQuota.md)
 17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)

 ## Additional Policies

-The policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments. 
+These policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments. 

 17. [Restrict image registries](RestrictImageRegistries.md)
 18. [Restrict `NodePort` services](RestrictNodePort.md)
--- a/samples/RestrictAutomountSAToken.md
+++ b/samples/RestrictAutomountSAToken.md
@ -4,7 +4,7 @@ Kubernetes automatically mounts service account credentials in each pod. The ser

 ## Policy YAML 

-[restrict_automount_sa_token.yaml](best_practices/restrict_automount_sa_token.yaml) 
+[restrict_automount_sa_token.yaml](more/restrict_automount_sa_token.yaml) 

 ````yaml
 apiVersion : kyverno.io/v1alpha1
--- a/samples/RestrictImageRegistries.md
+++ b/samples/RestrictImageRegistries.md
@ -6,7 +6,7 @@ You can customize this policy to allow image registries that you trust.

 ## Policy YAML 

-[restrict_image_registries.yaml](best_practices/restrict_image_registries.yaml) 
+[restrict_image_registries.yaml](more/restrict_image_registries.yaml) 

 ````yaml
 apiVersion : kyverno.io/v1alpha1
--- a/samples/RestrictIngressClasses.md
+++ b/samples/RestrictIngressClasses.md
@ -4,7 +4,7 @@ It can be useful to restrict Ingress resources to a set of known ingress classes

 ## Policy YAML 

-[restrict_ingress_classes.yaml](best_practices/restrict_ingress_classes.yaml) 
+[restrict_ingress_classes.yaml](more/restrict_ingress_classes.yaml) 

 ````yaml
 apiVersion : kyverno.io/v1alpha1
--- a/samples/RestrictNodePort.md
+++ b/samples/RestrictNodePort.md
@ -8,7 +8,7 @@ Although NodePort services can be useful, their use should be limited to service

 ## Policy YAML

-[restrict_node_port.yaml](best_practices/restrict_node_port.yaml)
+[restrict_node_port.yaml](more/restrict_node_port.yaml)

 ````yaml

--- a/samples/best_practices/add_network_policy.yaml
+++ b/samples/best_practices/add_network_policy.yaml
@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
  name: add-networkpolicy
  annotations:
-    policies.kyverno.io/category: NetworkPolicy
+    policies.kyverno.io/category: Workload Management
    policies.kyverno.io/description: By default, Kubernetes allows communications across 
      all pods within a cluster. Network policies and, a CNI that supports network policies, 
      must be used to restrict communinications. A default NetworkPolicy should be configured 
--- a/samples/best_practices/add_ns_quota.yaml
+++ b/samples/best_practices/add_ns_quota.yaml
@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
  name: add-ns-quota
  annotations:
-    policies.kyverno.io/category: Isolation
+    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: To limit the number of objects, as well as the 
      total amount of compute that may be consumed by a single namespace, create 
      a default resource quota for each namespace.
--- a/samples/best_practices/add_safe_to_evict.yaml
+++ b/samples/best_practices/add_safe_to_evict.yaml
@ -3,7 +3,7 @@ kind: "ClusterPolicy"
 metadata: 
  name: "add-safe-to-evict"
  annotations:
-    policies.kyverno.io/category: AutoScaling
+    policies.kyverno.io/category: Workload Management
    policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict pods that 
      use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation 
      cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods. 
--- a/samples/best_practices/disallow_bind_mounts.yaml
+++ b/samples/best_practices/disallow_bind_mounts.yaml
@ -3,7 +3,7 @@ kind: "ClusterPolicy"
 metadata: 
  name: "disallow-bind-mounts"
  annotations:
-    policies.kyverno.io/category: Data Protection
+    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind 
      mounts (i.e. directories and volumes mounted to a host path) in containers. Using host 
      resources can be used to access shared data or escalate priviliges. Also, this couples pods 
--- a/samples/best_practices/disallow_default_namespace.yaml
+++ b/samples/best_practices/disallow_default_namespace.yaml
@ -2,7 +2,7 @@ apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
  name: disallow-default-namespace
-  policies.kyverno.io/category: Isolation
+  policies.kyverno.io/category: Workload Isolation
  policies.kyverno.io/description: Kubernetes namespaces are an optional feature 
    that provide a way to segment and isolate cluster resources across multiple 
    applications and users. As a best practice, workloads should be isolated with 
--- a/samples/best_practices/disallow_host_network_port.yaml
+++ b/samples/best_practices/disallow_host_network_port.yaml
@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
  name: host-network-port
  annotations:
-    policies.kyverno.io/category: Security
+    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: Using 'hostPort' and 'hostNetwork' allows pods to share 
      the host network stack, allowing potential snooping of network traffic from an application pod.
 spec:
--- a/samples/best_practices/disallow_host_pid_ipc.yaml
+++ b/samples/best_practices/disallow_host_pid_ipc.yaml
@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
  name: disallow-host-pid-ipc
  annotations:
-    policies.kyverno.io/category: Security
+    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process 
      on the host, potentially exposing process information. Sharing the host's IPC namespace allows 
      the container process to communicate with processes on the host. To avoid pod container from 
--- a/samples/best_practices/disallow_latest_tag.yaml
+++ b/samples/best_practices/disallow_latest_tag.yaml
@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
  name: disallow-latest-tag
  annotations:
-    policies.kyverno.io/category: Image
+    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: The ':latest' tag is mutable and can lead to 
      unexpected errors if the image changes. A best practice is to use an immutable 
      tag that maps to a specific version of an application pod.
--- a/samples/best_practices/require_pod_requests_limits.yaml
+++ b/samples/best_practices/require_pod_requests_limits.yaml
@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
  name: require-pod-requests-limits
  annotations:
-    policies.kyverno.io/category: Resource Quota
+    policies.kyverno.io/category: Workload Management
    policies.kyverno.io/description: As application workloads share cluster resources, it is important 
      to limit resources requested and consumed by each pod. It is recommended to require 
      'resources.requests' and 'resources.limits' per pod. If a namespace level request or limit is 
--- a/samples/best_practices/require_probes.yaml
+++ b/samples/best_practices/require_probes.yaml
@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
  name: require-pod-probes
  annotations:
-    policies.kyverno.io/category: Health
+    policies.kyverno.io/category: Workload Management
    policies.kyverno.io/description: Liveness and readiness probes need to be configured to 
      correctly manage a pods lifecycle during deployments, restarts, and upgrades. For each 
      pod, a periodic `livenessProbe` is performed by the kubelet to determine if the pod's 
--- a/samples/best_practices/require_ro_rootfs.yaml
+++ b/samples/best_practices/require_ro_rootfs.yaml
@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
  name: require-ro-rootfs
  annotations:
-    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/category: Security
    policies.kyverno.io/description: A read-only root file system helps to enforce an immutable 
      infrastructure strategy; the container only needs to write on the mounted volume that p
      ersists the state. An immutable root filesystem can also prevent malicious binaries from 
--- a/samples/more/restrict_image_registries.yaml
+++ b/samples/more/restrict_image_registries.yaml
@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
  name: restrict-image-registries
  annotations:
-    policies.kyverno.io/category: Image
+    policies.kyverno.io/category: Workload Management
    policies.kyverno.io/description: Images from unknown registries may not be scanned and secured. 
      Requiring use of known registries helps reduce threat exposure.
 spec:
--- a/samples/more/restrict_ingress_classes.yaml
+++ b/samples/more/restrict_ingress_classes.yaml
@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
  name: restrict-ingress-classes
  annotations:
-    policies.kyverno.io/category: Ingress
+    policies.kyverno.io/category: Workload Management
    policies.kyverno.io/description: It can be useful to restrict Ingress resources to a set of 
      known ingress classes that are allowed in the cluster. You can customize this policy to 
      allow ingress classes that are configured in the cluster.
--- a/samples/more/restrict_node_port.yaml
+++ b/samples/more/restrict_node_port.yaml
@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
  name: restrict-nodeport
  annotations:
-    policies.kyverno.io/category: Security
+    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: A Kubernetes service of type NodePort uses a 
      host port to receive traffic from any source. A 'NetworkPolicy' resource cannot be used 
      to control traffic to host ports. Although 'NodePort' services can be useful, their use