add validateFailureAction to all policies (#1068)

2024-12-14 11:57:48 +00:00 · 2020-08-19 14:04:58 -07:00 · 2020-08-19 14:04:58 -07:00 · 3fb1c8e87e
commit 3fb1c8e87e
parent f60deecdce
31 changed files with 32 additions and 2 deletions
--- a/samples/DisallowBindMounts.md
+++ b/samples/DisallowBindMounts.md
@ -11,7 +11,8 @@ apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata: 
  name: disallow-bind-mounts
-spec: 
+spec:
+  validationFailureAction: audit
  rules: 
  - name: validate-hostPath
    match: 
--- a/samples/DisallowDefaultNamespace.md
+++ b/samples/DisallowDefaultNamespace.md
@ -20,6 +20,7 @@ metadata:
      namespaces. Namespaces should be required and the default (empty) namespace 
      should not be used.
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-namespace
    match:
--- a/samples/DisallowDockerSockMount.md
+++ b/samples/DisallowDockerSockMount.md
@ -14,6 +14,7 @@ kind: ClusterPolicy
 metadata:
  name: disallow-docker-sock-mount
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-docker-sock-mount
    match:
--- a/samples/DisallowHelmTiller.md
+++ b/samples/DisallowHelmTiller.md
@ -12,6 +12,7 @@ kind: ClusterPolicy
 metadata:
  name: disallow-helm-tiller
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-helm-tiller
    match:
--- a/samples/DisallowHostNetworkPort.md
+++ b/samples/DisallowHostNetworkPort.md
@ -14,6 +14,7 @@ kind: ClusterPolicy
 metadata:
  name: disallow-host-network-port
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-host-network
    match:
--- a/samples/DisallowLatestTag.md
+++ b/samples/DisallowLatestTag.md
@ -13,6 +13,7 @@ kind: ClusterPolicy
 metadata:
  name: disallow-latest-tag
 spec:
+  validationFailureAction: audit
  rules:
  - name: require-image-tag
    match:
--- a/samples/DisallowNewCapabilities.md
+++ b/samples/DisallowNewCapabilities.md
@ -18,6 +18,7 @@ metadata:
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-add-capabilities
    match:
--- a/samples/DisallowPrivilegedContainers.md
+++ b/samples/DisallowPrivilegedContainers.md
@ -14,6 +14,7 @@ kind: ClusterPolicy
 metadata:
  name: disallow-privileged
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-privileged
    match:
--- a/samples/DisallowRootUser.md
+++ b/samples/DisallowRootUser.md
@ -16,6 +16,7 @@ kind: ClusterPolicy
 metadata:
  name: disallow-root-user
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-runAsNonRoot
    match:
--- a/samples/DisallowSysctls.md
+++ b/samples/DisallowSysctls.md
@ -17,6 +17,7 @@ kind: ClusterPolicy
 metadata:
  name: disallow-sysctls
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-sysctls
    match:
--- a/samples/RequirePodProbes.md
+++ b/samples/RequirePodProbes.md
@ -14,6 +14,7 @@ kind: ClusterPolicy
 metadata:
  name: require-pod-probes
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-livenessProbe-readinessProbe
    match:
--- a/samples/RequirePodRequestsLimits.md
+++ b/samples/RequirePodRequestsLimits.md
@ -14,6 +14,7 @@ kind: ClusterPolicy
 metadata:
  name: require-pod-requests-limits
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-resources
    match:
--- a/samples/RequireReadOnlyRootFS.md
+++ b/samples/RequireReadOnlyRootFS.md
@ -13,6 +13,7 @@ kind: ClusterPolicy
 metadata:
  name: require-ro-rootfs
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-readOnlyRootFilesystem
    match:
--- a/samples/RestrictAutomountSAToken.md
+++ b/samples/RestrictAutomountSAToken.md
@ -12,6 +12,7 @@ kind: ClusterPolicy
 metadata:
  name: restrict-automount-sa-token
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-automountServiceAccountToken
    match:
--- a/samples/RestrictImageRegistries.md
+++ b/samples/RestrictImageRegistries.md
@ -14,6 +14,7 @@ kind: ClusterPolicy
 metadata:
  name: restrict-image-registries
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-registries
    match:
--- a/samples/RestrictIngressClasses.md
+++ b/samples/RestrictIngressClasses.md
@ -12,6 +12,7 @@ kind: ClusterPolicy
 metadata:
  name: restrict-ingress-classes
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-ingress
    match:
--- a/samples/RestrictNodePort.md
+++ b/samples/RestrictNodePort.md
@ -17,6 +17,7 @@ kind: ClusterPolicy
 metadata:
  name: restrict-nodeport
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-nodeport
    match:
--- a/samples/best_practices/add_network_policy.yaml
+++ b/samples/best_practices/add_network_policy.yaml
@ -11,6 +11,7 @@ metadata:
      Application teams can then configure additional NetworkPolicy resources to allow 
      desired traffic to application pods from select sources.
 spec:
+  validationFailureAction: audit
  rules:
  - name: default-deny-ingress
    match:
--- a/samples/best_practices/disallow_bind_mounts.yaml
+++ b/samples/best_practices/disallow_bind_mounts.yaml
@ -11,6 +11,7 @@ metadata:
      node leading to potential pod scheduling failures. It is highly recommended that applications 
      are designed to be decoupled from the underlying infrastructure (in this case, nodes).
 spec: 
+  validationFailureAction: audit
  rules: 
  - name: validate-hostPath
    match: 
--- a/samples/best_practices/disallow_default_namespace.yaml
+++ b/samples/best_practices/disallow_default_namespace.yaml
@ -11,6 +11,7 @@ metadata:
      namespaces. Namespaces should be required and the default (empty) namespace 
      should not be used.
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-namespace
    match:
--- a/samples/best_practices/disallow_docker_sock_mount.yaml
+++ b/samples/best_practices/disallow_docker_sock_mount.yaml
@ -8,6 +8,7 @@ metadata:
      Docker daemon on the node. This access can be used for privilege escalation and 
      to manage containers outside of Kubernetes, and hence should not be allowed.  
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-docker-sock-mount
    match:
--- a/samples/best_practices/disallow_helm_tiller.yaml
+++ b/samples/best_practices/disallow_helm_tiller.yaml
@ -7,6 +7,7 @@ metadata:
    policies.kyverno.io/description: Tiller has known security challenges. It requires adminstrative privileges and acts as a shared
      resource accessible to any authenticated user. Tiller can lead to privilge escalation as restricted users can impact other users.
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-helm-tiller
    match:
--- a/samples/best_practices/disallow_host_network_port.yaml
+++ b/samples/best_practices/disallow_host_network_port.yaml
@ -7,6 +7,7 @@ metadata:
    policies.kyverno.io/description: Using 'hostPort' and 'hostNetwork' allows pods to share 
      the host network stack, allowing potential snooping of network traffic from an application pod.
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-host-network
    match:
--- a/samples/best_practices/disallow_latest_tag.yaml
+++ b/samples/best_practices/disallow_latest_tag.yaml
@ -8,6 +8,7 @@ metadata:
      unexpected errors if the image changes. A best practice is to use an immutable 
      tag that maps to a specific version of an application pod.
 spec:
+  validationFailureAction: audit
  rules:
  - name: require-image-tag
    match:
--- a/samples/best_practices/disallow_new_capabilities.yaml
+++ b/samples/best_practices/disallow_new_capabilities.yaml
@ -11,6 +11,7 @@ metadata:
      enforces that containers cannot add new capabilities. Other policies can be used to set
      default capabilities. 
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-add-capabilities
    match:
--- a/samples/best_practices/disallow_privileged.yaml
+++ b/samples/best_practices/disallow_privileged.yaml
@ -10,6 +10,7 @@ metadata:
      With `securityContext.allowPrivilegeEscalation` enabled, a process can 
      gain privileges from its parent. 
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-privileged
    match:
--- a/samples/best_practices/disallow_root_user.yaml
+++ b/samples/best_practices/disallow_root_user.yaml
@ -9,6 +9,7 @@ metadata:
      least privileged user ID when building the container image and require that 
      application containers run as non root users.
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-runAsNonRoot
    match:
--- a/samples/best_practices/disallow_sysctls.yaml
+++ b/samples/best_practices/disallow_sysctls.yaml
@ -8,6 +8,7 @@ metadata:
      at runtime. In a Kubernetes pod these parameters can be specified under `securityContext.sysctls`. 
      Kernel parameter modifications can be used for exploits and should be restricted.
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-sysctls
    match:
--- a/samples/best_practices/require_pod_requests_limits.yaml
+++ b/samples/best_practices/require_pod_requests_limits.yaml
@ -9,7 +9,7 @@ metadata:
      'resources.requests' and 'resources.limits' per pod. If a namespace level request or limit is 
      specified, defaults will automatically be applied to each pod based on the 'LimitRange' configuration.
 spec:
-  validationFailureAction: "audit"
+  validationFailureAction: audit
  rules:
  - name: validate-resources
    match:
--- a/samples/best_practices/require_probes.yaml
+++ b/samples/best_practices/require_probes.yaml
@ -10,6 +10,7 @@ metadata:
      containers are running or need to be restarted. A `readinessProbe` is used by services 
      and deployments to determine if the pod is ready to receive network traffic.
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-livenessProbe-readinessProbe
    match:
--- a/samples/best_practices/require_ro_rootfs.yaml
+++ b/samples/best_practices/require_ro_rootfs.yaml
@ -9,6 +9,7 @@ metadata:
      ersists the state. An immutable root filesystem can also prevent malicious binaries from 
      writing to the host system.
 spec:
+  validationFailureAction: audit
  rules:
  - name: validate-readOnlyRootFilesystem
    match: