diff --git a/README.md b/README.md index b896c8d3f9..2a478a9cf9 100644 --- a/README.md +++ b/README.md @@ -6,9 +6,9 @@ Kyverno is a policy engine designed for Kubernetes. -Kubernetes supports declarative management of objects using configurations written in YAML or JSON. Often, parts of the configuration will need to vary based on the runtime environment. For portability, and for separation of concerns, its best to maintain environment specific configurations separately from workload configurations. +Kubernetes supports declarative validation, mutation, and generation of resource configurations using policies written as Kubernetes resources. -Kyverno allows cluster adminstrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters. +Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests.Kyverno allows cluster adminstrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters. Kyverno policies are Kubernetes resources that can be written in YAML or JSON. Kyverno policies can validate, mutate, and generate any Kubernetes resources. @@ -115,29 +115,7 @@ spec: ### 4. More examples -Refer to a list of curated of [kyverno policies](/samples/README.md) to follow kubernetes best practices. - -## License - -[Apache License 2.0](https://github.com/nirmata/kyverno/blob/master/LICENSE) - -## Status - -*Kyverno is under active development and not ready for production use. Key components and policy definitions are likely to change as we complete core features.* - -## Alternatives - -### Open Policy Agent - -[Open Policy Agent (OPA)](https://www.openpolicyagent.org/) is a general-purpose policy engine that can be used as a Kubernetes admission controller. It supports a large set of use cases. Policies are written using [Rego](https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies#what-is-rego) a custom query language. - -### Polaris - -[Polaris](https://github.com/reactiveops/polaris) validates configurations for best practices. It includes several checks across health, networking, security, etc. Checks can be assigned a severity. A dashboard reports the overall score. - -### External configuration management tools - -Tools like [Kustomize](https://github.com/kubernetes-sigs/kustomize) can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations. +Refer to a list of curated of ***[sample policies](/samples/README.md)*** that can be applied to your cluster. ## Documentation @@ -149,15 +127,35 @@ Tools like [Kustomize](https://github.com/kubernetes-sigs/kustomize) can be used * [Testing Policies](documentation/testing-policies.md) * [Using kubectl](documentation/testing-policies.md#Test-using-kubectl) * [Using the Kyverno CLI](documentation/testing-policies.md#Test-using-the-Kyverno-CLI) +* [Sample Policies](/samples/README.md) + +## License + +[Apache License 2.0](https://github.com/nirmata/kyverno/blob/master/LICENSE) + + +## Alternatives + +### Open Policy Agent + +[Open Policy Agent (OPA)](https://www.openpolicyagent.org/) is a general-purpose policy engine that can be used as a Kubernetes admission controller. It supports a large set of use cases. Policies are written using [Rego](https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies#what-is-rego) a custom query language. + +### k-rail + +[k-rail](https://github.com/cruise-automation/k-rail/) provides several ready to use policies for security and multi-tenancy. The policies are written in Golang. Several of the [Kyverno sample policies](/samples/README.md) were inspired by k-rail policies. + +### Polaris + +[Polaris](https://github.com/reactiveops/polaris) validates configurations for best practices. It includes several checks across health, networking, security, etc. Checks can be assigned a severity. A dashboard reports the overall score. + +### External configuration management tools + +Tools like [Kustomize](https://github.com/kubernetes-sigs/kustomize) can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations. + ## Roadmap -Here are some the major features we plan on completing before a 1.0 release: - -* [Events](https://github.com/nirmata/kyverno/issues/14) -* [Policy Violations](https://github.com/nirmata/kyverno/issues/24) -* [Conditionals on existing resources](https://github.com/nirmata/kyverno/issues/57) -* [Extend CLI to operate on cluster resources ](https://github.com/nirmata/kyverno/issues/164) +See [Milestones](https://github.com/nirmata/kyverno/milestones) and [Issues](https://github.com/nirmata/kyverno/issues). ## Getting help @@ -166,7 +164,7 @@ Here are some the major features we plan on completing before a 1.0 release: ## Contributing -Welcome to our community and thanks for contributing! +Thanks for your interest in contributing! * Please review and agree to abide with the [Code of Conduct](/CODE_OF_CONDUCT.md) before contributing. * See the [Wiki](https://github.com/nirmata/kyverno/wiki) for developer documentation. diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md index 8f724fab2a..c9bd5f676c 100644 --- a/documentation/writing-policies-mutate.md +++ b/documentation/writing-policies-mutate.md @@ -2,17 +2,23 @@ # Mutate Configurations -The ```mutate``` rule contains actions that will be applied to matching resource before their creation. A mutate rule can be written as a JSON Patch or as an overlay. By using a ```patch``` in the (JSONPatch - RFC 6902)[http://jsonpatch.com/] format, you can make precise changes to the resource being created. Using an ```overlay``` is convenient for describing the desired state of the resource. +The ```mutate``` rule contains actions that will be applied to matching resources. A mutate rule can be written as a JSON Patch or as an overlay. + +By using a ```patch``` in the (JSONPatch - RFC 6902)[http://jsonpatch.com/] format, you can make precise changes to the resource being created. Using an ```overlay``` is convenient for describing the desired state of the resource. Resource mutation occurs before validation, so the validation rules should not contradict the changes performed by the mutation section. -## Anchors -| Anchor | Tag | Behavior | -|------------- |----- |--------------------------------------------- | -| Conditional | () | Add the specified tag | -| Add | +() | Add if the tag if not specified | -## Patches +## JSON Patch + +A JSON Patch rule provides an alternate way to mutate resources. + +[JSONPatch](http://jsonpatch.com/) supports the following operations (in the 'op' field): +* **add** +* **replace** +* **remove** + +With Kyverno, the add and replace have the same behavior i.e. both operations will add or replace the target element. This patch adds an init container to all deployments. @@ -37,14 +43,9 @@ spec : name: "init-secrets" ```` -[JSONPatch](http://jsonpatch.com/) supports the following operations (in the 'op' field): -* **add** -* **replace** -* **remove** - -With Kyverno, the add and replace have the same behavior i.e. both operations will add or replace the target element. Here is the example of a patch that removes a label from the secret: + ````yaml apiVersion : kyverno.io/v1alpha1 kind : ClusterPolicy @@ -65,9 +66,11 @@ spec : Note, that if **remove** operation cannot be applied, then this **remove** operation will be skipped with no error. -## Overlay +## Mutate Overlay -A mutation overlay describes the desired form of resource. The existing resource values are replaced with the values specified in the overlay. If a value is specified in the overlay but not present in the target resource, then it will be added to the resource. The overlay cannot be used to delete values in a resource: use **patches** for this purpose. +A mutation overlay describes the desired form of resource. The existing resource values are replaced with the values specified in the overlay. If a value is specified in the overlay but not present in the target resource, then it will be added to the resource. + +The overlay cannot be used to delete values in a resource: use **patches** for this purpose. The following mutation overlay will add (or replace) the memory request and limit to 10Gi for every Pod with a label ```memory: high```: @@ -124,9 +127,26 @@ spec: ```` + ### Conditional logic using anchors -An **anchor** field, marked by parentheses, allows conditional processing of configurations. Processing stops when the anchor value does not match. Once processing stops, any child elements or any remaining siblings in a list, will not be processed. +An **anchor** field, marked by parentheses and an optional preceeding character, allows conditional processing for mutations. + +The mutate overlay rules support two types of anchors: + +| Anchor | Tag | Behavior | +|--------------------|----- |----------------------------------------------------- | +| Conditional | () | Use the tag and value as an "if" condition | +| Add if not present | +() | Add the tag value, if the tag is not already present | + + +The **anchors** values support **wildcards**: +1. `*` - matches zero or more alphanumeric characters +2. `?` - matches a single alphanumeric character + +#### Conditional anchor + +A `conditional anchor` evaluates to `true` if the anchor tag exists and if the value matches the specified value. Processing stops if a tag does not exist or when the value does not match. Once processing stops, any child elements or any remaining siblings in a list, will not be processed. For example, this overlay will add or replace the value 6443 for the port field, for all ports with a name value that starts with "secure": @@ -150,16 +170,15 @@ spec : port: 6443 ```` -The **anchors** values support **wildcards**: -1. `*` - matches zero or more alphanumeric characters -2. `?` - matches a single alphanumeric character +If the anchor tag value is an object or array, the entire object or array must match. In other words, the entire object or array becomes part of the "if" clause. Nested `conditional anchor` tags are not supported. +### Add if not present anchor -### Add if not present +A variation of an anchor, is to add a field value if it is not already defined. This is done by using the `add anchor` (short for `add if not present anchor`) with the notation ````+(...)```` for the tag. -A variation of an anchor, is to add a field value if it is not already defined. This is done by using the ````+(...)```` notation for the field. +An `add anchor` is processed as part of applying the mutation. Typically, every non-anchor tag-value is applied as part of the mutation. If the `add anchor` is set on a tag, the tag and value are only applied if they do not exist in the resource. - For example, this overlay will set the port to 6443, if a port is not already defined: +For example, this overlay will set the port to 6443, if a port is not already defined: ````yaml apiVersion: kyverno.io/v1alpha1 @@ -180,6 +199,15 @@ spec : +(port): 6443 ```` +#### Anchor processing flow + +The anchor processing behavior for mutate conditions is as follows: + +1. First, all conditional anchors are processed. Processing stops when the first conditional anchor return a `false`. Mutation proceeds only of all conditional anchors return a `true`. Note that for `conditional anchor` tags with complex (object or array) values the entire value (child) object is treated as part of the condition, as explained above. + +2. Next, all tag-values without anchors and all `add anchor` tags are processed to apply the mutation. + + ## Additional Details Additional details on mutation overlay behaviors are available on the wiki: [Mutation Overlay](https://github.com/nirmata/kyverno/wiki/Mutation-Overlay) diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 01902bf979..0076e0e048 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -10,68 +10,56 @@ func Test_Mutate_Validate_qos(t *testing.T) { testScenario(t, "/test/scenarios/other/scenario_mutate_validate_qos.yaml") } -func Test_validate_deny_runasrootuser(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml") +func Test_disallow_root_user(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/disallow_root_user.yaml") } -func Test_validate_disallow_priviledgedprivelegesecalation(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml") +func Test_disallow_priviledged(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/disallow_priviledged.yaml") } func Test_validate_healthChecks(t *testing.T) { testScenario(t, "/test/scenarios/other/scenario_validate_healthChecks.yaml") } -func Test_generate_networkPolicy(t *testing.T) { - testScenario(t, "/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml") +func Test_add_networkPolicy(t *testing.T) { + testScenario(t, "/test/scenarios/samples/best_practices/add_networkPolicy.yaml") } // namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver -func Test_validate_require_image_tag_not_latest_deny(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml") +func Test_validate_disallow_latest_tag(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag.yaml") } func Test_validate_require_image_tag_not_latest_pass(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml") -} - -func Test_validate_disallow_automoutingapicred_pass(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml") + testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml") } func Test_validate_disallow_default_namespace(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml") + testScenario(t, "test/scenarios/samples/best_practices/disallow_default_namespace.yaml") } func Test_validate_host_network_port(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml") + testScenario(t, "test/scenarios/samples/best_practices/disallow_host_network_port.yaml") } -func Test_validate_hostPID_hostIPC(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml") +func Test_validate_host_PID_IPC(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml") } -func Test_validate_not_readonly_rootfilesystem(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml") +func Test_validate_ro_rootfs(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/require_ro_rootfs.yaml") } -func Test_validate_require_namespace_quota(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml") -} - -func Test_validate_disallow_node_port(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml") +func Test_add_ns_quota(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/add_ns_quota.yaml") } func Test_validate_disallow_default_serviceaccount(t *testing.T) { testScenario(t, "test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml") } -func Test_validate_fsgroup(t *testing.T) { - testScenario(t, "test/scenarios/samples/more/scenario_validate_fsgroup.yaml") -} - func Test_validate_selinux_context(t *testing.T) { testScenario(t, "test/scenarios/other/scenario_validate_selinux_context.yaml") } @@ -80,61 +68,66 @@ func Test_validate_proc_mount(t *testing.T) { testScenario(t, "test/scenarios/other/scenario_validate_default_proc_mount.yaml") } -func Test_validate_container_capabilities(t *testing.T) { - testScenario(t, "test/scenarios/samples/more/scenario_validate_container_capabilities.yaml") -} - -func Test_validate_disallow_sysctl(t *testing.T) { - testScenario(t, "test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml") -} - func Test_validate_volume_whitelist(t *testing.T) { testScenario(t, "test/scenarios/other/scenario_validate_volume_whiltelist.yaml") } -func Test_validate_trusted_image_registries(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml") -} - func Test_require_pod_requests_limits(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml") + testScenario(t, "test/scenarios/samples/best_practices/require_pod_requests_limits.yaml") } func Test_require_probes(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_probes.yaml") + testScenario(t, "test/scenarios/samples/best_practices/require_probes.yaml") } -func Test_validate_disallow_host_filesystem_fail(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml") +func Test_validate_disallow_bind_mounts_fail(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml") } -func Test_validate_disallow_host_filesystem_pass(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml") +func Test_validate_disallow_bind_mounts_pass(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml") } + func Test_validate_disallow_new_capabilities(t *testing.T) { - testScenario(t, "/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml") + testScenario(t, "/test/scenarios/samples/best_practices/disallow_new_capabilities.yaml") } -func Test_validate_disallow_docker_sock_mount(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml") +func Test_disallow_sysctls(t *testing.T) { + testScenario(t, "/test/scenarios/samples/best_practices/disallow_sysctls.yaml") +} + +func Test_disallow_docker_sock_mount(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/disallow_docker_sock_mount.yaml") } func Test_validate_disallow_helm_tiller(t *testing.T) { testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml") } -func Test_add_safe_to_evict_annotation(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml") +func Test_add_safe_to_evict(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict.yaml") } func Test_add_safe_to_evict_annotation2(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict2.yaml") + testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict2.yaml") +} + +func Test_validate_restrict_automount_sa_token_pass(t *testing.T) { + testScenario(t, "test/scenarios/samples/more/restrict_automount_sa_token.yaml") +} + +func Test_restrict_node_port(t *testing.T) { + testScenario(t, "test/scenarios/samples/more/restrict_node_port.yaml") +} + +func Test_validate_restrict_image_registries(t *testing.T) { + testScenario(t, "test/scenarios/samples/more/restrict_image_registries.yaml") } func Test_known_ingress(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_known_ingress_class.yaml") + testScenario(t, "test/scenarios/samples/more/restrict_ingress_classes.yaml") } func Test_unknown_ingress(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_unknown_ingress_class.yaml") + testScenario(t, "test/scenarios/samples/more/unknown_ingress_class.yaml") } diff --git a/samples/AddDefaultNetworkPolicy.md b/samples/AddDefaultNetworkPolicy.md new file mode 100644 index 0000000000..2d1e46424c --- /dev/null +++ b/samples/AddDefaultNetworkPolicy.md @@ -0,0 +1,33 @@ +# Default deny all ingress traffic + +By default, Kubernetes allows communications across all pods within a cluster. Network policies and, a CNI that supports network policies, must be used to restrict communinications. + +A default `NetworkPolicy` should be configured for each namespace to default deny all ingress traffic to the pods in the namespace. Application teams can then configure additional `NetworkPolicy` resources to allow desired traffic to application pods from select sources. + +## Policy YAML + +[add_network_policy.yaml](best_practices/add_network_policy.yaml) + +````yaml +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: add-networkpolicy +spec: + rules: + - name: "default-deny-ingress" + match: + resources: + kinds: + - Namespace + name: "*" + generate: + kind: NetworkPolicy + name: default-deny-ingress + data: + spec: + # select all pods in the namespace + podSelector: {} + policyTypes: + - Ingress +```` \ No newline at end of file diff --git a/samples/RequireNSLimitsQuotas.md b/samples/AddNamespaceResourceQuota.md similarity index 80% rename from samples/RequireNSLimitsQuotas.md rename to samples/AddNamespaceResourceQuota.md index e77703a197..4e32f70653 100644 --- a/samples/RequireNSLimitsQuotas.md +++ b/samples/AddNamespaceResourceQuota.md @@ -8,23 +8,23 @@ To limit the number of resources like CPU and memory, as well as objects that ma ## Policy YAML -[require_namespace_quota.yaml](best_practices/require_namespace_quota.yaml) +[add_ns_quota.yaml](best_practices/add_ns_quota.yaml) ````yaml apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: generate-namespace-quota + name: add-ns-quota spec: rules: - - name: generate-namespace-quota + - name: generate-resourcequota match: resources: kinds: - Namespace generate: kind: ResourceQuota - name: "defaultresourcequota" + name: "default-resourcequota" data: spec: hard: diff --git a/samples/MutateSafeToEvict.md b/samples/AddSafeToEvict.md similarity index 84% rename from samples/MutateSafeToEvict.md rename to samples/AddSafeToEvict.md index 86717cf950..1558a77904 100644 --- a/samples/MutateSafeToEvict.md +++ b/samples/AddSafeToEvict.md @@ -10,16 +10,16 @@ This policy matches and mutates pods with `emptyDir` and `hostPath` volumes, to ## Policy YAML -[add_safe_to_evict_annotation.yaml](best_practices/add_safe-to-evict_annotation.yaml) +[add_safe_to_evict_annotation.yaml](best_practices/add_safe_to_evict.yaml) ````yaml apiVersion: "kyverno.io/v1alpha1" kind: "ClusterPolicy" metadata: - name: "annotate-emptydir-hostpath" + name: "add-safe-to-evict" spec: rules: - - name: "empty-dir-add-safe-to-evict" + - name: "annotate-empty-dir" match: resources: kinds: @@ -32,7 +32,7 @@ spec: spec: volumes: - (emptyDir): {} - - name: "host-path-add-safe-to-evict" + - name: "annotate-host-path" match: resources: kinds: diff --git a/samples/AssignLinuxCapabilities.md b/samples/AssignLinuxCapabilities.md deleted file mode 100644 index a15dd8cd73..0000000000 --- a/samples/AssignLinuxCapabilities.md +++ /dev/null @@ -1,34 +0,0 @@ -# Assign Linux capabilities - -Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled or disabled by listing them in `securityContext.capabilites`. - -## Policy YAML - -[policy_validate_container_capabilities.yaml](more/policy_validate_container_capabilities.yaml) - -````yaml -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-container-capablities -spec: - rules: - - name: validate-container-capablities - match: - resources: - kinds: - - Pod - validate: - message: "Allow certain linux capability" - pattern: - spec: - containers: - - securityContext: - capabilities: - add: ["NET_ADMIN"] - -```` - -## Additional Information - -* [List of linux capabilities](https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h) diff --git a/samples/ConfigureKernelParmeters.md b/samples/ConfigureKernelParmeters.md deleted file mode 100644 index 2f9525cbac..0000000000 --- a/samples/ConfigureKernelParmeters.md +++ /dev/null @@ -1,34 +0,0 @@ -# Configure kernel parameters - -The Sysctl interface allows to modify kernel parameters at runtime and in the pod can be specified under `securityContext.sysctls`. If kernel parameters in the pod are to be modified, should be handled cautiously, and policy with rules restricting these options will be helpful. We can control minimum and maximum port that a network connection can use as its source(local) port by checking net.ipv4.ip_local_port_range - -## Policy YAML - -[policy_validate_sysctl_configs.yaml](more/policy_validate_sysctl_configs.yaml) - -````yaml -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-allow-portrange-with-sysctl -spec: - rules: - - name: allow-portrange-with-sysctl - match: - resources: - kinds: - - Pod - validate: - message: "Allowed port range is from 1024 to 65535" - pattern: - spec: - securityContext: - sysctls: - - name: net.ipv4.ip_local_port_range - value: "1024 65535" -```` - - -## Additional Information - -* [List of supported namespaced sysctl interfaces](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) diff --git a/samples/DefaultDenyAllIngress.md b/samples/DefaultDenyAllIngress.md deleted file mode 100644 index 6620530e03..0000000000 --- a/samples/DefaultDenyAllIngress.md +++ /dev/null @@ -1,33 +0,0 @@ -# Default deny all ingress traffic - -By default, Kubernetes allows all ingress and egress traffic to and from pods within a cluster. - -A "default" `NetworkPolicy` should be configured for each namespace to default deny all ingress traffic to the pods in that namespace. Later, the application team can configure additional `NetworkPolicy` resources to allow desired traffic to application pods from select sources. - -## Policy YAML - -[require_default_network_policy.yaml](best_practices/require_default_network_policy.yaml) - -````yaml -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: default-deny-ingress-networkpolicy -spec: - rules: - - name: "default-deny-ingress" - match: - resources: - kinds: - - Namespace - name: "*" - generate: - kind: NetworkPolicy - name: default-deny-ingress - data: - spec: - # select all pods in the namespace - podSelector: {} - policyTypes: - - Ingress -```` \ No newline at end of file diff --git a/samples/DisallowAutomountSACredentials.md b/samples/DisallowAutomountSACredentials.md deleted file mode 100644 index a9de50a554..0000000000 --- a/samples/DisallowAutomountSACredentials.md +++ /dev/null @@ -1,30 +0,0 @@ -# Disallow automount of Service Account credentials - -Kubernetes automounts default service account credentials in each pod. To restrict access, opt out of automounting credentials by setting `automountServiceAccountToken` to `false`. - -## Policy YAML - -[disallow_automountingapicred.yaml](best_practices/disallow_automountingapicred.yaml) - -````yaml -apiVersion : kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-disallow-automoutingapicred -spec: - rules: - - name: disallow-automoutingapicred - match: - resources: - kinds: - - Pod - validate: - message: "Deny automounting API credentials" - pattern: - spec: - =(serviceAccountName): "*" - automountServiceAccountToken: false -```` - - - diff --git a/samples/DisallowHostFS.md b/samples/DisallowBindMounts.md similarity index 63% rename from samples/DisallowHostFS.md rename to samples/DisallowBindMounts.md index a1a407e42f..df899c104b 100644 --- a/samples/DisallowHostFS.md +++ b/samples/DisallowBindMounts.md @@ -1,25 +1,25 @@ # Disallow use of bind mounts (`hostPath` volumes) -The volume of type `hostPath` allows pods to use host bind mounts (i.e. directories and volumes mounted to a host path) in containers. Using host resources can be used to access shared data or escalate priviliges. Also, this couples pods to a specific host and data persisted in the `hostPath` volume is coupled to the life of the node leading to potential pod scheduling failures. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes). +The volume of type `hostPath` allows pods to use host bind mounts (i.e. directories and volumes mounted to a host path) in containers. Using host resources can be used to access shared data or escalate privileges. Also, this couples pods to a specific host and data persisted in the `hostPath` volume is coupled to the life of the node leading to potential pod scheduling failures. It is highly recommended that applications are designed to be decoupled from the underlying infrastructure (in this case, nodes). ## Policy YAML -[disallow_host_filesystem.yaml](best_practices/disallow_host_filesystem.yaml) +[disallow_bind_mounts.yaml](best_practices/disallow_bind_mounts.yaml) ````yaml apiVersion: "kyverno.io/v1alpha1" kind: "ClusterPolicy" metadata: - name: "deny-use-of-host-fs" + name: "disallow-bind-mounts" spec: rules: - - name: "deny-use-of-host-fs" + - name: "validate-hostPath" match: resources: kinds: - "Pod" validate: - message: "Host path is not allowed" + message: "Host path volumes are not allowed" pattern: spec: volumes: diff --git a/samples/DisallowDefaultNamespace.md b/samples/DisallowDefaultNamespace.md index a15719678d..03d1845a83 100644 --- a/samples/DisallowDefaultNamespace.md +++ b/samples/DisallowDefaultNamespace.md @@ -1,6 +1,6 @@ # Disallow use of default namespace -Kubernetes namespaces provide a way to segment and isolate cluster resources across multiple applictaions and users. It is recommended that each workload be isolated in its own namespace and that use of the default namespace be not allowed. +Kubernetes namespaces are an optional feature that provide a way to segment and isolate cluster resources across multiple applications and users. As a best practice, workloads should be isolated with namespaces. Namespaces should be required and the default (empty) namespace should not be used. ## Policy YAML @@ -10,20 +10,20 @@ Kubernetes namespaces provide a way to segment and isolate cluster resources acr apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-namespace + name: disallow-default-namespace spec: rules: - - name: check-default-namespace + - name: validate-namespace match: resources: kinds: - Pod validate: - message: "Using 'default' namespace is restricted" + message: "Using 'default' namespace is not allowed" pattern: metadata: namespace: "!default" - - name: check-namespace-exist + - name: require-namespace match: resources: kinds: diff --git a/samples/DisallowDockerSockMount.md b/samples/DisallowDockerSockMount.md index 330772a40f..af2afa3a1f 100644 --- a/samples/DisallowDockerSockMount.md +++ b/samples/DisallowDockerSockMount.md @@ -13,11 +13,6 @@ apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: name: disallow-docker-sock-mount - annotations: - policies.kyverno.io/category: Security - policies.kyverno.io/description: The Docker socket bind mount allows access to the - Docker daemon on the node. This access can be used for privilege escalation and - to manage containers outside of Kubernetes, and hence should not be allowed. spec: rules: - name: validate-docker-sock-mount diff --git a/samples/DisallowHelmTiller.md b/samples/DisallowHelmTiller.md index 424ac67c6f..df8e949ae3 100644 --- a/samples/DisallowHelmTiller.md +++ b/samples/DisallowHelmTiller.md @@ -4,14 +4,13 @@ Tiller has known security challenges. It requires adminstrative privileges and a ## Policy YAML +[disallow_helm_tiller.yaml](best_practices/disallow_helm_tiller.yaml) + ````yaml apiVersion : kyverno.io/v1alpha1 kind: ClusterPolicy metadata: name: disallow-helm-tiller - annotations: - policies.kyverno.io/category: Security - policies.kyverno.io/description: spec: rules: - name: validate-helm-tiller diff --git a/samples/DisallowHostNetworkPort.md b/samples/DisallowHostNetworkPort.md index 2f7e93de87..aeaa274e81 100644 --- a/samples/DisallowHostNetworkPort.md +++ b/samples/DisallowHostNetworkPort.md @@ -5,23 +5,23 @@ Using `hostPort` and `hostNetwork` allows pods to share the host networking stac ## Policy YAML -[disallow_host_network_hostport.yaml](best_practices/disallow_host_network_hostport.yaml) +[disallow_host_network_port.yaml](best_practices/disallow_host_network_port.yaml) ````yaml apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-host-network-hostport + name: disallow-host-network-port spec: rules: - - name: validate-host-network-hostport + - name: validate-host-network-port match: resources: kinds: - Pod validate: - message: "Defining hostNetwork and hostPort are not allowed" + message: "Using host networking is not allowed" pattern: spec: (hostNetwork): false diff --git a/samples/DisallowHostPIDIPC.md b/samples/DisallowHostPIDIPC.md index 6d68e06400..bf5b30f3e9 100644 --- a/samples/DisallowHostPIDIPC.md +++ b/samples/DisallowHostPIDIPC.md @@ -6,23 +6,17 @@ To avoid pod container from having visibility to host process space, validate th ## Policy YAML -[disallow_hostpid_hostipc.yaml](best_practices/disallow_hostpid_hostipc.yaml) +[disallow_host_pid_ipc.yaml](best_practices/disallow_host_pid_ipc.yaml) ````yaml apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-host-pid-ipc - annotations: - policies.kyverno.io/category: Security - policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process - on the host, potentially exposing process information. Sharing the host's IPC namespace allows - the container process to communicate with processes on the host. To avoid pod container from - having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'. + name: disallow-host-pid-ipc spec: - validationFailureAction: enforce + validationFailureAction: audit rules: - - name: validate-host-pid-ipc + - name: validate-hostPID-hostIPC match: resources: kinds: diff --git a/samples/DisallowLatestTag.md b/samples/DisallowLatestTag.md index 20a10e08d0..d9075dade5 100644 --- a/samples/DisallowLatestTag.md +++ b/samples/DisallowLatestTag.md @@ -4,36 +4,37 @@ The `:latest` tag is mutable and can lead to unexpected errors if the upstream i ## Policy YAML -[require_image_tag_not_latest.yaml](best_practices/require_image_tag_not_latest.yaml) +[disallow_latest_tag.yaml](best_practices/disallow_latest_tag.yaml) ````yaml apiVersion : kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-image-tag + name: disallow-latest-tag spec: rules: - - name: image-tag-notspecified + - name: require-tag match: resources: kinds: - Pod validate: - message: "Image tag not specified" + message: "An image tag is required" pattern: spec: containers: - image: "*:*" - - name: image-tag-not-latest + - name: validate-tag match: resources: kinds: - Pod validate: - message: "Using 'latest' image tag is restricted. Set image tag to a specific version" + message: "Using a mutable image tag e.g. 'latest' is not allowed" pattern: spec: containers: - image: "!*:latest" + ```` diff --git a/samples/DisallowNewCapabilities.md b/samples/DisallowNewCapabilities.md index 0499684c61..aecd0bc280 100644 --- a/samples/DisallowNewCapabilities.md +++ b/samples/DisallowNewCapabilities.md @@ -14,23 +14,16 @@ default capabilities. apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-new-capabilities - annotations: - policies.kyverno.io/category: Security Context - policies.kyverno.io/description: Linux allows defining fine-grained permissions using - capabilities. With Kubernetes, it is possible to add capabilities that escalate the - level of kernel access and allow other potentially dangerous behaviors. This policy - enforces that pods cannot add new capabilities. Other policies can be used to set - default capabilities. + name: disallow-new-capabilities spec: rules: - - name: deny-new-capabilities + - name: validate-add-capabilities match: resources: kinds: - Pod validate: - message: "Capabilities cannot be added" + message: "New capabilities cannot be added" anyPattern: - spec: =(securityContext): @@ -42,4 +35,5 @@ spec: =(securityContext): =(capabilities): X(add): null + ```` diff --git a/samples/DisablePrivilegedContainers.md b/samples/DisallowPrivilegedContainers.md similarity index 52% rename from samples/DisablePrivilegedContainers.md rename to samples/DisallowPrivilegedContainers.md index fe8732abe7..4257b25d7d 100644 --- a/samples/DisablePrivilegedContainers.md +++ b/samples/DisallowPrivilegedContainers.md @@ -1,36 +1,50 @@ -# Disable privileged containers +# Diallow privileged containers Privileged containers are defined as any container where the container uid 0 is mapped to the host’s uid 0. A process within a privileged container can get unrestricted host access. With `securityContext.allowPrivilegeEscalation` enabled, a process can gain privileges from its parent. -To disallow privileged containers and the privilege escalation it is recommended to run pod containers with `securityContext.priveleged` set to `false` and `allowPrivilegeEscalation` set to `false`. +To disallow privileged containers and privilege escalation, run pod containers with `securityContext.privileged` set to `false` and `securityContext.allowPrivilegeEscalation` set to `false`. ## Policy YAML -[disallow_priviledged_priviligedescalation.yaml](best_practices/disallow_priviledged_priviligedescalation.yaml) +[disallow_privileged.yaml](best_practices/disallow_privileged.yaml) ````yaml apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-deny-privileged-priviligedescalation + name: disallow-privileged spec: rules: - - name: deny-privileged-priviligedescalation + - name: validate-privileged match: resources: kinds: - Pod validate: - message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false" + message: "Privileged mode is not allowed. Set privileged to false" anyPattern: - spec: securityContext: - allowPrivilegeEscalation: false privileged: false + - spec: + containers: + - name: "*" + securityContext: + privileged: false + - name: validate-allowPrivilegeEscalation + match: + resources: + kinds: + - Pod + validate: + message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false" + anyPattern: + - spec: + securityContext: + allowPrivilegeEscalation: false - spec: containers: - name: "*" securityContext: allowPrivilegeEscalation: false - privileged: false ```` diff --git a/samples/RunAsNonRootUser.md b/samples/DisallowRootUser.md similarity index 86% rename from samples/RunAsNonRootUser.md rename to samples/DisallowRootUser.md index e2257418b5..975d3b5361 100644 --- a/samples/RunAsNonRootUser.md +++ b/samples/DisallowRootUser.md @@ -8,16 +8,17 @@ By default, all processes in a container run as the root user (uid 0). To preven ## Policy YAML -[deny_runasrootuser.yaml](best_practices/deny_runasrootuser.yaml) +[disallow_root_user.yaml](best_practices/disallow_root_user.yaml) ````yaml apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-deny-runasrootuser + name: disallow-root-user + annotations: spec: rules: - - name: deny-runasrootuser + - name: validate-runAsNonRoot match: resources: kinds: diff --git a/samples/DisallowSysctls.md b/samples/DisallowSysctls.md new file mode 100644 index 0000000000..14f552b971 --- /dev/null +++ b/samples/DisallowSysctls.md @@ -0,0 +1,32 @@ +# Disallow changes to kernel parameters + +The Sysctl interface allows modifications to kernel parameters at runtime. In a Kubernetes pod these parameters can be specified under `securityContext.sysctls`. Kernel parameter modifications can be used for exploits and should be restricted. + +## Additional Information + +* [List of supported namespaced sysctl interfaces](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) + + +## Policy YAML + +[disallow_sysctls.yaml](best_practices/disallow_sysctls.yaml) + +````yaml +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: disallow-sysctls +spec: + rules: + - name: validate-sysctls + match: + resources: + kinds: + - Pod + validate: + message: "Changes to kernel paramaters are not allowed" + pattern: + spec: + securityContext: + X(sysctls): null +```` diff --git a/samples/KnownIngressClass.md b/samples/KnownIngressClass.md deleted file mode 100644 index a1da840d26..0000000000 --- a/samples/KnownIngressClass.md +++ /dev/null @@ -1,32 +0,0 @@ -# Require a known ingress class - -It can be useful to restrict Ingress resources to use a known ingress class that are allowed in the cluster. - -You can customize this policy to allow ingress classes that are configured in the cluster. - -## Policy YAML - -[known_ingress.yaml](best_practices/known_ingress.yaml) - -````yaml -apiVersion : kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: known-ingress - annotations: - policies.kyverno.io/category: Ingress - policies.kyverno.io/description: -spec: - rules: - - name: known-ingress - match: - resources: - kinds: - - Ingress - validate: - message: "Unknown ingress class" - pattern: - metadata: - annotations: - kubernetes.io/ingress.class: "F5 | nginx" -```` diff --git a/samples/README.md b/samples/README.md index 4bad1c3f8c..cdb3ea1e6e 100644 --- a/samples/README.md +++ b/samples/README.md @@ -1,6 +1,43 @@ # Sample Policies -Sample policies are designed to be applied to your Kubernetes clusters with minimal changes. To apply these policies to your cluster, install Kyverno and import the policies as follows: +Sample policies are designed to be applied to your Kubernetes clusters with minimal changes. + +The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince. + +## Best Practice Policies + +These policies are highly recommended. + +1. [Disallow root user](DisallowRootUser.md) +2. [Disallow privileged containers](DisallowPrivilegedContainers.md) +3. [Disallow new capabilities](DisallowNewCapabilities.md) +4. [Disallow kernel parameter changes](DisallowSysctls.md) +5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowBindMounts.md) +6. [Disallow docker socket bind mount](DisallowDockerSockMount.md) +7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md) +8. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md) +9. [Disallow use of default namespace](DisallowDefaultNamespace.md) +10. [Disallow latest image tag](DisallowLatestTag.md) +11. [Disallow Helm Tiller](DisallowHelmTiller.md) +12. [Require read-only root filesystem](RequireReadOnlyRootFS.md) +13. [Require pod resource requests and limits](RequirePodRequestsLimits.md) +14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) +15. [Add default network policy](AddDefaultNetworkPolicy.md) +16. [Add namespace resource quotas](AddNamespaceResourceQuota.md) +17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md) + +## Additional Policies + +These policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments. + +17. [Restrict image registries](RestrictImageRegistries.md) +18. [Restrict `NodePort` services](RestrictNodePort.md) +19. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md) +20. [Restrict ingress classes](RestrictIngressClasses.md) + +## Applying the sample policies + +To apply these policies to your cluster, install Kyverno and import the policies as follows: **Install Kyverno** @@ -30,36 +67,3 @@ Import addition policies from [here](more): kubectl create -f samples/more/ ```` -The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince. - -## Best Practice Policies - -These policies are highly recommended. - -1. [Run as non-root user](RunAsNonRootUser.md) -2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md) -3. [Disallow new capabilities](DisallowNewCapabilities.md) -4. [Require read-only root filesystem](RequireReadOnlyFS.md) -5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md) -6. [Disallow docker socket bind mount](DisallowDockerSockMount.md) -7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md) -8. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md) -9. [Disallow unknown image registries](DisallowUnknownRegistries.md) -10. [Disallow latest image tag](DisallowLatestTag.md) -11. [Disallow use of default namespace](DisallowDefaultNamespace.md) -12. [Require namespace limits and quotas](RequireNSLimitsQuotas.md) -13. [Require pod resource requests and limits](RequirePodRequestsLimits.md) -14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) -15. [Default deny all ingress traffic](DefaultDenyAllIngress.md) -16. [Disallow Helm Tiller](DisallowHelmTiller.md) -17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](MutateSafeToEvict.md) - -## Additional Policies - -The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes. - -18. [Limit use of `NodePort` services](LimitNodePort.md) -19. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md) -20. [Configure Linux Capabilities](AssignLinuxCapabilities.md) -21. [Limit Kernel parameter access](ConfigureKernelParmeters.md) -22. [Restrict ingress class](KnownIngressClass.md) diff --git a/samples/RequirePodProbes.md b/samples/RequirePodProbes.md index 1b20dce2d7..2c24062439 100644 --- a/samples/RequirePodProbes.md +++ b/samples/RequirePodProbes.md @@ -1,8 +1,8 @@ # Require `livenessProbe` and `readinessProbe` -For each pod, a `livenessProbe` is carried out by the kubelet to determine if containers are running and when to restart the pod. A `readinessProbe` is used by services and deployments to determine if the pod is ready to recieve network traffic. +Liveness and readiness probes need to be configured to correctly manage a pods lifecycle during deployments, restarts, and upgrades. -Both liveness and readiness probes need to be configured to manage the pod lifecycle during restarts and upgrades. +For each pod, a periodic `livenessProbe` is performed by the kubelet to determine if the pod's containers are running or need to be restarted. A `readinessProbe` is used by services and deployments to determine if the pod is ready to receive network traffic. ## Policy YAML @@ -12,10 +12,10 @@ Both liveness and readiness probes need to be configured to manage the pod lifec apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-probes + name: require-pod-probes spec: rules: - - name: check-probes + - name: validate-livenessProbe-readinessProbe match: resources: kinds: diff --git a/samples/RequirePodRequestsLimits.md b/samples/RequirePodRequestsLimits.md index 140ca0a0e4..69986ad42d 100644 --- a/samples/RequirePodRequestsLimits.md +++ b/samples/RequirePodRequestsLimits.md @@ -12,11 +12,11 @@ If a namespace level request or limit is specified, defaults will automatically apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: check-resource + name: require-pod-requests-limits spec: validationFailureAction: "audit" rules: - - name: check-resource-request-limit + - name: validate-resources match: resources: kinds: diff --git a/samples/RequireReadOnlyFS.md b/samples/RequireReadOnlyRootFS.md similarity index 68% rename from samples/RequireReadOnlyFS.md rename to samples/RequireReadOnlyRootFS.md index 6f83c2e09e..7a1a29fac1 100644 --- a/samples/RequireReadOnlyFS.md +++ b/samples/RequireReadOnlyRootFS.md @@ -1,29 +1,29 @@ -# Require Read-only root filesystem +# Require read-only root filesystem A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on mounted volumes that can persist state even if the container exits. An immutable root filesystem can also prevent malicious binaries from writing to the host system. ## Policy YAML -[require_readonly_rootfilesystem.yaml](best_practices/require_readonly_rootfilesystem.yaml) +[require_ro_rootfs.yaml](best_practices/require_ro_rootfs.yaml) ````yaml apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-readonly-rootfilesystem + name: require-ro-rootfs spec: rules: - - name: validate-readonly-rootfilesystem + - name: validate-readOnlyRootFilesystem match: resources: kinds: - Pod validate: - message: "Container require read-only rootfilesystem" + message: "Root filesystem must be read-only" pattern: spec: containers: - securityContext: readOnlyRootFilesystem: true -```` \ No newline at end of file +```` diff --git a/samples/RestrictAutomountSAToken.md b/samples/RestrictAutomountSAToken.md new file mode 100644 index 0000000000..1ebee9bd0e --- /dev/null +++ b/samples/RestrictAutomountSAToken.md @@ -0,0 +1,29 @@ +# Restrict auto-mount of Service Account tokens + +Kubernetes automatically mounts service account credentials in each pod. The service account may be assigned roles allowing pods to access API resources. To restrict access, opt out of auto-mounting tokens by setting `automountServiceAccountToken` to `false`. + +## Policy YAML + +[restrict_automount_sa_token.yaml](more/restrict_automount_sa_token.yaml) + +````yaml +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: restrict-automount-sa-token +spec: + rules: + - name: validate-automountServiceAccountToken + match: + resources: + kinds: + - Pod + validate: + message: "Deny automounting API credentials" + pattern: + spec: + automountServiceAccountToken: false +```` + + + diff --git a/samples/DisallowUnknownRegistries.md b/samples/RestrictImageRegistries.md similarity index 80% rename from samples/DisallowUnknownRegistries.md rename to samples/RestrictImageRegistries.md index da2327cf4d..46b88d84e5 100644 --- a/samples/DisallowUnknownRegistries.md +++ b/samples/RestrictImageRegistries.md @@ -6,16 +6,16 @@ You can customize this policy to allow image registries that you trust. ## Policy YAML -[trusted_image_registries.yaml](best_practices/trusted_image_registries.yaml) +[restrict_image_registries.yaml](more/restrict_image_registries.yaml) ````yaml apiVersion : kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: trusted-registries + name: restrict-image-registries spec: rules: - - name: trusted-registries + - name: validate-registries match: resources: kinds: diff --git a/samples/RestrictIngressClasses.md b/samples/RestrictIngressClasses.md new file mode 100644 index 0000000000..fa8506f810 --- /dev/null +++ b/samples/RestrictIngressClasses.md @@ -0,0 +1,27 @@ +# Restrict ingress classes + +It can be useful to restrict Ingress resources to a set of known ingress classes that are allowed in the cluster. You can customize this policy to allow ingress classes that are configured in the cluster. + +## Policy YAML + +[restrict_ingress_classes.yaml](more/restrict_ingress_classes.yaml) + +````yaml +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: restrict-ingress-classes +spec: + rules: + - name: validate-ingress + match: + resources: + kinds: + - Ingress + validate: + message: "Unknown ingress class" + pattern: + metadata: + annotations: + kubernetes.io/ingress.class: "F5 | nginx" +```` diff --git a/samples/LimitNodePort.md b/samples/RestrictNodePort.md similarity index 73% rename from samples/LimitNodePort.md rename to samples/RestrictNodePort.md index 71ff1adf46..86234ca3f6 100644 --- a/samples/LimitNodePort.md +++ b/samples/RestrictNodePort.md @@ -1,4 +1,4 @@ -# Limit `NodePort` services +# Restrict use of `NodePort` services A Kubernetes service of type `NodePort` uses a host port (on every node in the cluster) to receive traffic from any source. @@ -8,23 +8,23 @@ Although NodePort services can be useful, their use should be limited to service ## Policy YAML -[disallow_node_port.yaml](best_practices/disallow_node_port.yaml) +[restrict_node_port.yaml](more/restrict_node_port.yaml) ````yaml apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: disallow-node-port + name: restrict-node-port spec: rules: - - name: disallow-node-port + - name: validate-node-port match: resources: kinds: - Service validate: - message: "Disallow service of type NodePort" + message: "Service of type NodePort is not allowed" pattern: spec: type: "!NodePort" diff --git a/samples/best_practices/add_network_policy.yaml b/samples/best_practices/add_network_policy.yaml new file mode 100644 index 0000000000..16850bcf9e --- /dev/null +++ b/samples/best_practices/add_network_policy.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: add-networkpolicy + annotations: + policies.kyverno.io/category: Workload Management + policies.kyverno.io/description: By default, Kubernetes allows communications across + all pods within a cluster. Network policies and, a CNI that supports network policies, + must be used to restrict communinications. A default NetworkPolicy should be configured + for each namespace to default deny all ingress traffic to the pods in the namespace. + Application teams can then configure additional NetworkPolicy resources to allow + desired traffic to application pods from select sources. +spec: + rules: + - name: "default-deny-ingress" + match: + resources: + kinds: + - Namespace + name: "*" + generate: + kind: NetworkPolicy + name: default-deny-ingress + data: + spec: + # select all pods in the namespace + podSelector: {} + policyTypes: + - Ingress \ No newline at end of file diff --git a/samples/best_practices/add_ns_quota.yaml b/samples/best_practices/add_ns_quota.yaml new file mode 100644 index 0000000000..4fcd8ea15c --- /dev/null +++ b/samples/best_practices/add_ns_quota.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: add-ns-quota + annotations: + policies.kyverno.io/category: Workload Isolation + policies.kyverno.io/description: To limit the number of objects, as well as the + total amount of compute that may be consumed by a single namespace, create + a default resource quota for each namespace. +spec: + rules: + - name: generate-resourcequota + match: + resources: + kinds: + - Namespace + generate: + kind: ResourceQuota + name: "default-resourcequota" + data: + spec: + hard: + requests.cpu: '4' + requests.memory: '16Gi' + limits.cpu: '4' + limits.memory: '16Gi' diff --git a/samples/best_practices/add_safe-to-evict_annotation.yaml b/samples/best_practices/add_safe_to_evict.yaml similarity index 85% rename from samples/best_practices/add_safe-to-evict_annotation.yaml rename to samples/best_practices/add_safe_to_evict.yaml index 891297ceec..487bfad4d3 100644 --- a/samples/best_practices/add_safe-to-evict_annotation.yaml +++ b/samples/best_practices/add_safe_to_evict.yaml @@ -1,15 +1,15 @@ apiVersion: "kyverno.io/v1alpha1" kind: "ClusterPolicy" metadata: - name: "annotate-emptydir-hostpath" + name: "add-safe-to-evict" annotations: - policies.kyverno.io/category: AutoScaling + policies.kyverno.io/category: Workload Management policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods. spec: rules: - - name: "empty-dir-add-safe-to-evict" + - name: "annotate-empty-dir" match: resources: kinds: @@ -22,7 +22,7 @@ spec: spec: volumes: - (emptyDir): {} - - name: "host-path-add-safe-to-evict" + - name: "annotate-host-path" match: resources: kinds: diff --git a/samples/best_practices/disallow_automountingapicred.yaml b/samples/best_practices/disallow_automountingapicred.yaml deleted file mode 100644 index f66eb3912d..0000000000 --- a/samples/best_practices/disallow_automountingapicred.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion : kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-disallow-automoutingapicred - annotations: - policies.kyverno.io/category: API Server Access Control - policies.kyverno.io/description: Kubernetes automounts default service account credentials in each pod. - To restrict access, opt out of automounting credentials by setting 'automountServiceAccountToken' to 'false'. -spec: - rules: - - name: disallow-automoutingapicred - match: - resources: - kinds: - - Pod - validate: - message: "Deny automounting API credentials" - pattern: - spec: - =(serviceAccountName): "*" - automountServiceAccountToken: false \ No newline at end of file diff --git a/samples/best_practices/disallow_host_filesystem.yaml b/samples/best_practices/disallow_bind_mounts.yaml similarity index 64% rename from samples/best_practices/disallow_host_filesystem.yaml rename to samples/best_practices/disallow_bind_mounts.yaml index 7ad0596f67..c00b0bf190 100644 --- a/samples/best_practices/disallow_host_filesystem.yaml +++ b/samples/best_practices/disallow_bind_mounts.yaml @@ -1,26 +1,26 @@ apiVersion: "kyverno.io/v1alpha1" kind: "ClusterPolicy" metadata: - name: "deny-use-of-host-fs" + name: "disallow-bind-mounts" annotations: - policies.kyverno.io/category: Data Protection + policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind mounts (i.e. directories and volumes mounted to a host path) in containers. Using host - resources can be used to access shared data or escalate priviliges. Also, this couples pods + resources can be used to access shared data or escalate privileges. Also, this couples pods to a specific host and data persisted in the `hostPath` volume is coupled to the life of the - node leading to potential pod scheduling failures. It is highly recommeded that applications - are designed to be decoupled from the underlying infrstructure (in this case, nodes). + node leading to potential pod scheduling failures. It is highly recommended that applications + are designed to be decoupled from the underlying infrastructure (in this case, nodes). spec: rules: - - name: "deny-use-of-host-fs" + - name: "validate-hostPath" match: resources: kinds: - "Pod" validate: - message: "Host path is not allowed" + message: "Host path volumes are not allowed" pattern: spec: volumes: - - X(hostPath): null \ No newline at end of file + - X(hostPath): null diff --git a/samples/best_practices/disallow_default_namespace.yaml b/samples/best_practices/disallow_default_namespace.yaml index 03043d7940..954b9c25e0 100644 --- a/samples/best_practices/disallow_default_namespace.yaml +++ b/samples/best_practices/disallow_default_namespace.yaml @@ -1,24 +1,26 @@ apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-namespace - annotations: - policies.kyverno.io/category: Workload Isolation - policies.kyverno.io/description: With many users spread across multiple teams, restricting - use of the default namespace and subdividing the cluster by namesoace isolates workloads. + name: disallow-default-namespace + policies.kyverno.io/category: Workload Isolation + policies.kyverno.io/description: Kubernetes namespaces are an optional feature + that provide a way to segment and isolate cluster resources across multiple + applications and users. As a best practice, workloads should be isolated with + namespaces. Namespaces should be required and the default (empty) namespace + should not be used. spec: rules: - - name: check-default-namespace + - name: validate-namespace match: resources: kinds: - Pod validate: - message: "Using 'default' namespace is restricted" + message: "Using 'default' namespace is not allowed" pattern: metadata: namespace: "!default" - - name: check-namespace-exist + - name: require-namespace match: resources: kinds: @@ -28,3 +30,4 @@ spec: pattern: metadata: namespace: "?*" + diff --git a/samples/best_practices/disallow_host_network_hostport.yaml b/samples/best_practices/disallow_host_network_port.yaml similarity index 93% rename from samples/best_practices/disallow_host_network_hostport.yaml rename to samples/best_practices/disallow_host_network_port.yaml index 9b9dd169ee..9ec09a75ff 100644 --- a/samples/best_practices/disallow_host_network_hostport.yaml +++ b/samples/best_practices/disallow_host_network_port.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: host-network-port annotations: - policies.kyverno.io/category: Security + policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: Using 'hostPort' and 'hostNetwork' allows pods to share the host network stack, allowing potential snooping of network traffic from an application pod. spec: diff --git a/samples/best_practices/disallow_hostpid_hostipc.yaml b/samples/best_practices/disallow_host_pid_ipc.yaml similarity index 86% rename from samples/best_practices/disallow_hostpid_hostipc.yaml rename to samples/best_practices/disallow_host_pid_ipc.yaml index 545d72fafd..1354bb8e3f 100644 --- a/samples/best_practices/disallow_hostpid_hostipc.yaml +++ b/samples/best_practices/disallow_host_pid_ipc.yaml @@ -1,9 +1,9 @@ apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-host-pid-ipc + name: disallow-host-pid-ipc annotations: - policies.kyverno.io/category: Security + policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process on the host, potentially exposing process information. Sharing the host's IPC namespace allows the container process to communicate with processes on the host. To avoid pod container from @@ -11,7 +11,7 @@ metadata: spec: validationFailureAction: audit rules: - - name: validate-host-pid-ipc + - name: validate-hostPID-hostIPC match: resources: kinds: diff --git a/samples/best_practices/require_image_tag_not_latest.yaml b/samples/best_practices/disallow_latest_tag.yaml similarity index 70% rename from samples/best_practices/require_image_tag_not_latest.yaml rename to samples/best_practices/disallow_latest_tag.yaml index a478b95edc..c84983b68f 100644 --- a/samples/best_practices/require_image_tag_not_latest.yaml +++ b/samples/best_practices/disallow_latest_tag.yaml @@ -1,32 +1,32 @@ apiVersion : kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-image-tag + name: disallow-latest-tag annotations: - policies.kyverno.io/category: Image + policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod. spec: rules: - - name: image-tag-notspecified + - name: require-image-tag match: resources: kinds: - Pod validate: - message: "Image tag not specified" + message: "An image tag is required" pattern: spec: containers: - image: "*:*" - - name: image-tag-not-latest + - name: validate-image-tag match: resources: kinds: - Pod validate: - message: "Using 'latest' image tag is restricted. Set image tag to a specific version" + message: "Using a mutable image tag e.g. 'latest' is not allowed" pattern: spec: containers: diff --git a/samples/best_practices/disallow_new_capabilities.yaml b/samples/best_practices/disallow_new_capabilities.yaml index a727d8e44b..ffa10db35d 100644 --- a/samples/best_practices/disallow_new_capabilities.yaml +++ b/samples/best_practices/disallow_new_capabilities.yaml @@ -1,9 +1,9 @@ apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-new-capabilities + name: disallow-new-capabilities annotations: - policies.kyverno.io/category: Security Context + policies.kyverno.io/category: Security policies.kyverno.io/description: Linux allows defining fine-grained permissions using capabilities. With Kubernetes, it is possible to add capabilities that escalate the level of kernel access and allow other potentially dangerous behaviors. This policy @@ -11,13 +11,13 @@ metadata: default capabilities. spec: rules: - - name: deny-new-capabilities + - name: validate-add-capabilities match: resources: kinds: - Pod validate: - message: "Capabilities cannot be added" + message: "New capabilities cannot be added" anyPattern: - spec: =(securityContext): @@ -28,4 +28,4 @@ spec: - name: "*" =(securityContext): =(capabilities): - X(add): null \ No newline at end of file + X(add): null diff --git a/samples/best_practices/disallow_priviledged_priviligedescalation.yaml b/samples/best_practices/disallow_priviledged_priviligedescalation.yaml deleted file mode 100644 index 309f369d39..0000000000 --- a/samples/best_practices/disallow_priviledged_priviligedescalation.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-deny-privileged-priviligedescalation - annotations: - policies.kyverno.io/category: Security Context - policies.kyverno.io/description: Privileged containers are defined as any container - where the container uid 0 is mapped to the host’s uid 0. A process within privileged - containers can get unrestricted host access. With 'securityContext.allowPrivilegeEscalation' - enabled a process can gain privileges from its parent. To disallow privileged containers - and the escalation of privileges it is recommended to run pod containers with - 'securityContext.priveleged' as 'false' and 'allowPrivilegeEscalation' as 'false'. -spec: - rules: - - name: deny-privileged-priviligedescalation - match: - resources: - kinds: - - Pod - validate: - message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false" - anyPattern: - - spec: - securityContext: - allowPrivilegeEscalation: false - privileged: false - - spec: - containers: - - name: "*" - securityContext: - allowPrivilegeEscalation: false - privileged: false diff --git a/samples/best_practices/disallow_privileged.yaml b/samples/best_practices/disallow_privileged.yaml new file mode 100644 index 0000000000..57f6b48ab1 --- /dev/null +++ b/samples/best_practices/disallow_privileged.yaml @@ -0,0 +1,46 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: disallow-privileged + annotations: + policies.kyverno.io/category: Security + policies.kyverno.io/description: Privileged containers are defined as any + container where the container uid 0 is mapped to the host’s uid 0. + A process within a privileged container can get unrestricted host access. + With `securityContext.allowPrivilegeEscalation` enabled, a process can + gain privileges from its parent. +spec: + rules: + - name: validate-privileged + match: + resources: + kinds: + - Pod + validate: + message: "Privileged mode is not allowed. Set privileged to false" + anyPattern: + - spec: + securityContext: + privileged: false + - spec: + containers: + - name: "*" + securityContext: + privileged: false + - name: validate-allowPrivilegeEscalation + match: + resources: + kinds: + - Pod + validate: + message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false" + anyPattern: + - spec: + securityContext: + allowPrivilegeEscalation: false + - spec: + containers: + - name: "*" + securityContext: + allowPrivilegeEscalation: false + diff --git a/samples/best_practices/deny_runasrootuser.yaml b/samples/best_practices/disallow_root_user.yaml similarity index 78% rename from samples/best_practices/deny_runasrootuser.yaml rename to samples/best_practices/disallow_root_user.yaml index dd653c995a..5201126195 100644 --- a/samples/best_practices/deny_runasrootuser.yaml +++ b/samples/best_practices/disallow_root_user.yaml @@ -1,22 +1,22 @@ apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-deny-runasrootuser + name: disallow-root-user annotations: - policies.kyverno.io/category: Security Context + policies.kyverno.io/category: Security policies.kyverno.io/description: By default, processes in a container run as a root user (uid 0). To prevent potential compromise of container hosts, specify a least privileged user ID when building the container image and require that application containers run as non root users. spec: rules: - - name: deny-runasrootuser + - name: validate-runAsNonRoot match: resources: kinds: - Pod validate: - message: "Root user is not allowed. Set runAsNonRoot to true" + message: "Running as root user is not allowed. Set runAsNonRoot to true" anyPattern: - spec: securityContext: diff --git a/samples/best_practices/disallow_sysctls.yaml b/samples/best_practices/disallow_sysctls.yaml new file mode 100644 index 0000000000..8610ed4d25 --- /dev/null +++ b/samples/best_practices/disallow_sysctls.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: disallow-sysctls + annotations: + policies.kyverno.io/category: Security + policies.kyverno.io/description: The Sysctl interface allows modifications to kernel parameters + at runtime. In a Kubernetes pod these parameters can be specified under `securityContext.sysctls`. + Kernel parameter modifications can be used for exploits and should be restricted. +spec: + rules: + - name: validate-sysctls + match: + resources: + kinds: + - Pod + validate: + message: "Changes to kernel paramaters are not allowed" + pattern: + spec: + securityContext: + X(sysctls): null \ No newline at end of file diff --git a/samples/best_practices/known_ingress.yaml b/samples/best_practices/known_ingress.yaml deleted file mode 100644 index 6c49a8e7cc..0000000000 --- a/samples/best_practices/known_ingress.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion : kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: known-ingress - annotations: - policies.kyverno.io/category: Ingress - policies.kyverno.io/description: -spec: - rules: - - name: known-ingress - match: - resources: - kinds: - - Ingress - validate: - message: "Unknown ingress class" - pattern: - metadata: - annotations: - kubernetes.io/ingress.class: "F5 | nginx" diff --git a/samples/best_practices/require_default_network_policy.yaml b/samples/best_practices/require_default_network_policy.yaml deleted file mode 100644 index 11886de3f5..0000000000 --- a/samples/best_practices/require_default_network_policy.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: default-deny-ingress-networkpolicy - annotations: - policies.kyverno.io/category: NetworkPolicy - policies.kyverno.io/description: By default, Kubernetes allows all ingress and egress traffic - to and from pods within a cluster. A "default" NetworkPolicy resource for a namespace should - be used to deny all ingress traffic to the pods in that namespace. Additional NetworkPolicy - resources can then be configured to allow desired traffic to application pods. -spec: - rules: - - name: "default-deny-ingress" - match: - resources: - kinds: - - Namespace - name: "*" - generate: - kind: NetworkPolicy - name: default-deny-ingress - data: - spec: - # select all pods in the namespace - podSelector: {} - policyTypes: - - Ingress \ No newline at end of file diff --git a/samples/best_practices/require_namespace_quota.yaml b/samples/best_practices/require_namespace_quota.yaml deleted file mode 100644 index 134af75a51..0000000000 --- a/samples/best_practices/require_namespace_quota.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: generate-namespace-quota - annotations: - policies.kyverno.io/category: Resource Quota - policies.kyverno.io/description: To limit the number of objects, as well as the - total amount of compute that may be consumed by an application, it is important - to create resource limits and quotas for each namespace. -spec: - rules: - - name: generate-namespace-quota - match: - resources: - kinds: - - Namespace - generate: - kind: ResourceQuota - name: "defaultresourcequota" - data: - spec: - hard: - requests.cpu: 4 - requests.memory: 16Gi - limits.cpu: 4 - limits.memory: 16Gi \ No newline at end of file diff --git a/samples/best_practices/require_pod_requests_limits.yaml b/samples/best_practices/require_pod_requests_limits.yaml index 4672f4362a..1ad5e2b132 100644 --- a/samples/best_practices/require_pod_requests_limits.yaml +++ b/samples/best_practices/require_pod_requests_limits.yaml @@ -1,9 +1,9 @@ apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: check-resource + name: require-pod-requests-limits annotations: - policies.kyverno.io/category: Resource Quota + policies.kyverno.io/category: Workload Management policies.kyverno.io/description: As application workloads share cluster resources, it is important to limit resources requested and consumed by each pod. It is recommended to require 'resources.requests' and 'resources.limits' per pod. If a namespace level request or limit is @@ -11,7 +11,7 @@ metadata: spec: validationFailureAction: "audit" rules: - - name: check-resource-request-limit + - name: validate-resources match: resources: kinds: diff --git a/samples/best_practices/require_probes.yaml b/samples/best_practices/require_probes.yaml index 8e930f8b13..043ed320f1 100644 --- a/samples/best_practices/require_probes.yaml +++ b/samples/best_practices/require_probes.yaml @@ -1,16 +1,17 @@ apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-probes + name: require-pod-probes annotations: - policies.kyverno.io/category: Health Check - policies.kyverno.io/description: For each pod, a 'livenessProbe' is carried out by the kubelet to - determine when to restart a container. A 'readinessProbe' is used by services and deployments to - determine if the pod is ready to recieve network traffic. Both liveness and readiness probes - need to be configured to manage the pod lifecycle during restarts and upgrades. + policies.kyverno.io/category: Workload Management + policies.kyverno.io/description: Liveness and readiness probes need to be configured to + correctly manage a pods lifecycle during deployments, restarts, and upgrades. For each + pod, a periodic `livenessProbe` is performed by the kubelet to determine if the pod's + containers are running or need to be restarted. A `readinessProbe` is used by services + and deployments to determine if the pod is ready to receive network traffic. spec: rules: - - name: check-probes + - name: validate-livenessProbe-readinessProbe match: resources: kinds: diff --git a/samples/best_practices/require_readonly_rootfilesystem.yaml b/samples/best_practices/require_ro_rootfs.yaml similarity index 75% rename from samples/best_practices/require_readonly_rootfilesystem.yaml rename to samples/best_practices/require_ro_rootfs.yaml index 38bedb1db4..01b49ea541 100644 --- a/samples/best_practices/require_readonly_rootfilesystem.yaml +++ b/samples/best_practices/require_ro_rootfs.yaml @@ -1,22 +1,22 @@ apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: validate-readonly-rootfilesystem + name: require-ro-rootfs annotations: - policies.kyverno.io/category: Security Context + policies.kyverno.io/category: Security policies.kyverno.io/description: A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that p ersists the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system. spec: rules: - - name: validate-readonly-rootfilesystem + - name: validate-readOnlyRootFilesystem match: resources: kinds: - Pod validate: - message: "Container require read-only rootfilesystem" + message: "Root filesystem must be read-only" pattern: spec: containers: diff --git a/samples/more/policy_validate_container_capabilities.yaml b/samples/more/policy_validate_container_capabilities.yaml deleted file mode 100644 index 3b51f1c07e..0000000000 --- a/samples/more/policy_validate_container_capabilities.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-container-capablities - annotations: - policies.kyverno.io/category: Security Context - policies.kyverno.io/description: Linux divides the privileges traditionally associated with - superuser into distinct units, known as capabilities, which can be independently enabled - or disabled by listing them in 'securityContext.capabilites'. -spec: - rules: - - name: validate-container-capablities - match: - resources: - kinds: - - Pod - validate: - message: "Allow certain linux capability" - pattern: - spec: - containers: - - securityContext: - capabilities: - add: ["NET_ADMIN"] diff --git a/samples/more/policy_validate_sysctl_configs.yaml b/samples/more/policy_validate_sysctl_configs.yaml deleted file mode 100644 index dae630093b..0000000000 --- a/samples/more/policy_validate_sysctl_configs.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-allow-portrange-with-sysctl - annotations: - policies.kyverno.io/category: Security Context - policies.kyverno.io/description: The Sysctl interface allows to modify kernel parameters at - runtime and in the pod can be specified under 'securityContext.sysctls'. If kernel parameters - in the pod are to be modified, should be handled cautiously, and policy with rules restricting - these options will be helpful. We can control minimum and maximum port that a network connection - can use as its source(local) port by checking 'net.ipv4.ip_local_port_range'. -spec: - rules: - - name: allow-portrange-with-sysctl - match: - resources: - kinds: - - Pod - validate: - message: "Allowed port range is from 1024 to 65535" - pattern: - spec: - securityContext: - sysctls: - - name: net.ipv4.ip_local_port_range - value: "1024 65535" diff --git a/samples/more/policy_validate_user_group_fsgroup_id.yaml b/samples/more/policy_validate_user_group_fsgroup_id.yaml deleted file mode 100644 index 853d8fd06e..0000000000 --- a/samples/more/policy_validate_user_group_fsgroup_id.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-userid-groupid-fsgroup - annotations: - policies.kyverno.io/category: Security Context - policies.kyverno.io/description: All processes inside the pod can be made to run with specific user - and groupID by setting 'runAsUser' and 'runAsGroup' respectively. 'fsGroup' can be specified - to make sure any file created in the volume with have the specified groupID. These options can be - used to validate the IDs used for user and group. -spec: - rules: - - name: validate-userid - match: - resources: - kinds: - - Pod - validate: - message: "User ID should be 1000" - pattern: - spec: - securityContext: - runAsUser: 1000 - - name: validate-groupid - match: - resources: - kinds: - - Pod - validate: - message: "Group ID should be 3000" - pattern: - spec: - securityContext: - runAsGroup: 3000 - - name: validate-fsgroup - match: - resources: - kinds: - - Pod - validate: - message: "fsgroup should be 2000" - pattern: - spec: - securityContext: - fsGroup: 2000 -# Alls processes inside the pod can be made to run with specific user and groupID by setting runAsUser and runAsGroup respectively. -# fsGroup can be specified to make sure any file created in the volume with have the specified groupID. -# The above parameters can also be used in a validate policy to restrict user & group IDs. \ No newline at end of file diff --git a/samples/more/restrict_automount_sa_token.yaml b/samples/more/restrict_automount_sa_token.yaml new file mode 100644 index 0000000000..6e0d3b6123 --- /dev/null +++ b/samples/more/restrict_automount_sa_token.yaml @@ -0,0 +1,22 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: restrict-automount-sa-token + annotations: + policies.kyverno.io/category: Security + policies.kyverno.io/description: Kubernetes automatically mounts service account + credentials in each pod. The service account may be assigned roles allowing pods + to access API resources. To restrict access, opt out of auto-mounting tokens by + setting automountServiceAccountToken to false. +spec: + rules: + - name: validate-automountServiceAccountToken + match: + resources: + kinds: + - Pod + validate: + message: "Auto-mounting of Service Account tokens is not allowed" + pattern: + spec: + automountServiceAccountToken: false \ No newline at end of file diff --git a/samples/best_practices/trusted_image_registries.yaml b/samples/more/restrict_image_registries.yaml similarity index 65% rename from samples/best_practices/trusted_image_registries.yaml rename to samples/more/restrict_image_registries.yaml index 67406c5743..8eeb968272 100644 --- a/samples/best_practices/trusted_image_registries.yaml +++ b/samples/more/restrict_image_registries.yaml @@ -1,21 +1,20 @@ apiVersion : kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: trusted-registries + name: restrict-image-registries annotations: - policies.kyverno.io/category: Image + policies.kyverno.io/category: Workload Management policies.kyverno.io/description: Images from unknown registries may not be scanned and secured. - Requiring use of known registries helps reduce threat exposure. You can customize this policy - to allow image registries that you trust. + Requiring use of known registries helps reduce threat exposure. spec: rules: - - name: trusted-registries + - name: validate-registries match: resources: kinds: - Pod validate: - message: "Deny untrusted registries" + message: "Unknown image registry" pattern: spec: containers: diff --git a/samples/more/restrict_ingress_classes.yaml b/samples/more/restrict_ingress_classes.yaml new file mode 100644 index 0000000000..10fd7f9739 --- /dev/null +++ b/samples/more/restrict_ingress_classes.yaml @@ -0,0 +1,22 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: restrict-ingress-classes + annotations: + policies.kyverno.io/category: Workload Management + policies.kyverno.io/description: It can be useful to restrict Ingress resources to a set of + known ingress classes that are allowed in the cluster. You can customize this policy to + allow ingress classes that are configured in the cluster. +spec: + rules: + - name: validate-ingress + match: + resources: + kinds: + - Ingress + validate: + message: "Unknown ingress class" + pattern: + metadata: + annotations: + kubernetes.io/ingress.class: "F5 | nginx" diff --git a/samples/best_practices/disallow_node_port.yaml b/samples/more/restrict_node_port.yaml similarity index 77% rename from samples/best_practices/disallow_node_port.yaml rename to samples/more/restrict_node_port.yaml index a998e839ac..9077b4079c 100644 --- a/samples/best_practices/disallow_node_port.yaml +++ b/samples/more/restrict_node_port.yaml @@ -1,22 +1,22 @@ apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: disallow-node-port + name: restrict-nodeport annotations: - policies.kyverno.io/category: Security + policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: A Kubernetes service of type NodePort uses a host port to receive traffic from any source. A 'NetworkPolicy' resource cannot be used to control traffic to host ports. Although 'NodePort' services can be useful, their use must be limited to services with additional upstream security checks. spec: rules: - - name: disallow-node-port + - name: validate-nodeport match: resources: kinds: - Service validate: - message: "Disallow service of type NodePort" + message: "Services of type NodePort are not allowed" pattern: spec: type: "!NodePort" diff --git a/test/resources/disallow_priviledged_priviligedescalation.yaml b/test/resources/disallow_privileged.yaml similarity index 89% rename from test/resources/disallow_priviledged_priviligedescalation.yaml rename to test/resources/disallow_privileged.yaml index 4ae00ff39c..983e5463a5 100644 --- a/test/resources/disallow_priviledged_priviligedescalation.yaml +++ b/test/resources/disallow_privileged.yaml @@ -8,4 +8,4 @@ spec: image: nginxinc/nginx-unprivileged securityContext: allowPrivilegeEscalation: true - privileged: false + privileged: true diff --git a/test/resources/require_image_tag_not_latest_deny.yaml b/test/resources/pod_with_latest_tag.yaml similarity index 100% rename from test/resources/require_image_tag_not_latest_deny.yaml rename to test/resources/pod_with_latest_tag.yaml diff --git a/test/resources/resource_validate_image_tag_latest_pass.yaml b/test/resources/pod_with_version_tag.yaml similarity index 100% rename from test/resources/resource_validate_image_tag_latest_pass.yaml rename to test/resources/pod_with_version_tag.yaml diff --git a/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml b/test/scenarios/samples/best_practices/add_networkPolicy.yaml similarity index 82% rename from test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml rename to test/scenarios/samples/best_practices/add_networkPolicy.yaml index 37e7910092..f5a8942c15 100644 --- a/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml +++ b/test/scenarios/samples/best_practices/add_networkPolicy.yaml @@ -1,6 +1,6 @@ # file path relative to project root input: - policy: samples/best_practices/require_default_network_policy.yaml + policy: samples/best_practices/add_network_policy.yaml resource: test/resources/require_default_network_policy.yaml expected: generation: @@ -9,7 +9,7 @@ expected: kind: NetworkPolicy namespace: devtest policyresponse: - policy: default-deny-ingress-networkpolicy + policy: add-networkpolicy resource: kind: Namespace apiVersion: v1 diff --git a/test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml b/test/scenarios/samples/best_practices/add_ns_quota.yaml similarity index 60% rename from test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml rename to test/scenarios/samples/best_practices/add_ns_quota.yaml index a15009146b..2e4102ade8 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml +++ b/test/scenarios/samples/best_practices/add_ns_quota.yaml @@ -1,22 +1,21 @@ # file path relative to project root input: - policy: samples/best_practices/require_namespace_quota.yaml + policy: samples/best_practices/add_ns_quota.yaml resource: test/resources/require_namespace_quota.yaml expected: generation: generatedResources: - - name: defaultresourcequota + - name: default-resourcequota kind: ResourceQuota namespace: test-namespace-quota policyresponse: - policy: generate-namespace-quota + policy: add-ns-quota resource: kind: Namespace apiVersion: v1 namespace: '' name: test-namespace-quota rules: - - name: generate-namespace-quota + - name: generate-resourcequota type: Generation success: true - message: created resource ResourceQuota/test-namespace-quota/defaultresourcequota diff --git a/test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict.yaml similarity index 78% rename from test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml rename to test/scenarios/samples/best_practices/add_safe_to_evict.yaml index 17ddc3bec0..640b6c4188 100644 --- a/test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml +++ b/test/scenarios/samples/best_practices/add_safe_to_evict.yaml @@ -1,19 +1,19 @@ # file path is relative to project root input: - policy: samples/best_practices/add_safe-to-evict_annotation.yaml + policy: samples/best_practices/add_safe_to_evict.yaml resource: test/resources/pod-with-emptydir.yaml expected: mutation: patchedresource: test/output/pod-with-emptydir.yaml policyresponse: - policy: annotate-emptydir-hostpath + policy: add-safe-to-evict resource: kind: Pod apiVersion: v1 namespace: '' name: pod-with-emptydir rules: - - name: empty-dir-add-safe-to-evict + - name: annotate-empty-dir type: Mutation success: true message: "successfully processed overlay" diff --git a/test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict2.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml similarity index 78% rename from test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict2.yaml rename to test/scenarios/samples/best_practices/add_safe_to_evict2.yaml index 1067c9f2b5..adce5724fe 100644 --- a/test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict2.yaml +++ b/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml @@ -1,19 +1,19 @@ # file path is relative to project root input: - policy: samples/best_practices/add_safe-to-evict_annotation.yaml + policy: samples/best_practices/add_safe_to_evict.yaml resource: test/resources/pod-with-hostpath.yaml expected: mutation: patchedresource: test/output/pod-with-hostpath.yaml policyresponse: - policy: annotate-emptydir-hostpath + policy: add-safe-to-evict resource: kind: Pod apiVersion: v1 namespace: '' name: pod-with-hostpath rules: - - name: empty-dir-add-safe-to-evict + - name: annotate-host-path type: Mutation success: true message: "successfully processed overlay" diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml b/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml similarity index 53% rename from test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml rename to test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml index a07def3c63..fe648e6bf7 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml +++ b/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml @@ -1,18 +1,17 @@ # file path relative to project root input: - policy: samples/best_practices/disallow_host_filesystem.yaml + policy: samples/best_practices/disallow_bind_mounts.yaml resource: test/resources/disallow_host_filesystem.yaml expected: validation: policyresponse: - policy: deny-use-of-host-fs + policy: disallow-bind-mounts resource: kind: Pod apiVersion: v1 namespace: '' name: image-with-hostpath rules: - - name: deny-use-of-host-fs + - name: validate-hostPath type: Validation - message: "Validation error: Host path is not allowed\nValidation rule 'deny-use-of-host-fs' failed at path '/spec/volumes/0/hostPath/'." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml b/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml similarity index 61% rename from test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml rename to test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml index 585851942f..c435528b90 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml +++ b/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml @@ -1,18 +1,17 @@ # file path relative to project root input: - policy: samples/best_practices/disallow_host_filesystem.yaml + policy: samples/best_practices/disallow_bind_mounts.yaml resource: test/resources/disallow_host_filesystem_pass.yaml expected: validation: policyresponse: - policy: deny-use-of-host-fs + policy: disallow-bind-mounts resource: kind: Pod apiVersion: v1 namespace: '' name: image-with-hostpath rules: - - name: deny-use-of-host-fs + - name: validate-hostPath type: Validation - message: Validation rule 'deny-use-of-host-fs' succeeded. success: true \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml b/test/scenarios/samples/best_practices/disallow_default_namespace.yaml similarity index 61% rename from test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml rename to test/scenarios/samples/best_practices/disallow_default_namespace.yaml index 682d8363cc..fe44d3389d 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml +++ b/test/scenarios/samples/best_practices/disallow_default_namespace.yaml @@ -5,7 +5,7 @@ input: expected: validation: policyresponse: - policy: validate-namespace + policy: disallow-default-namespace resource: kind: Pod apiVersion: v1 @@ -14,12 +14,10 @@ expected: namespace: 'default' name: myapp-pod rules: - - name: check-default-namespace + - name: validate-namespace type: Validation - message: "Validation error: Using 'default' namespace is restricted\nValidation rule 'check-default-namespace' failed at path '/metadata/namespace/'." success: false - - name: check-namespace-exist + - name: require-namespace type: Validation - message: "Validation rule 'check-namespace-exist' succeeded." success: true diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml b/test/scenarios/samples/best_practices/disallow_docker_sock_mount.yaml similarity index 100% rename from test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml rename to test/scenarios/samples/best_practices/disallow_docker_sock_mount.yaml diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml b/test/scenarios/samples/best_practices/disallow_host_network_port.yaml similarity index 81% rename from test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml rename to test/scenarios/samples/best_practices/disallow_host_network_port.yaml index 613d715357..4b1d414308 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml +++ b/test/scenarios/samples/best_practices/disallow_host_network_port.yaml @@ -1,6 +1,6 @@ # file path relative to project root input: - policy: samples/best_practices/disallow_host_network_hostport.yaml + policy: samples/best_practices/disallow_host_network_port.yaml resource: test/resources/disallow_host_network_hostport.yaml expected: validation: @@ -17,4 +17,4 @@ expected: success: true - name: validate-host-port type: Validation - success: false \ No newline at end of file + success: false diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml b/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml similarity index 64% rename from test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml rename to test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml index 9d57910743..14591d60e5 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml +++ b/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml @@ -1,17 +1,17 @@ # file path relative to project root input: - policy: samples/best_practices/disallow_hostpid_hostipc.yaml + policy: samples/best_practices/disallow_host_pid_ipc.yaml resource: test/resources/disallow_hostpid_hostipc.yaml expected: validation: policyresponse: - policy: validate-host-pid-ipc + policy: disallow-host-pid-ipc resource: kind: Pod apiVersion: v1 namespace: '' name: "nginx-with-hostpid" rules: - - name: validate-host-pid-ipc + - name: validate-hostPID-hostIPC type: Validation - success: false \ No newline at end of file + success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_latest_tag.yaml b/test/scenarios/samples/best_practices/disallow_latest_tag.yaml new file mode 100644 index 0000000000..ec6163984b --- /dev/null +++ b/test/scenarios/samples/best_practices/disallow_latest_tag.yaml @@ -0,0 +1,20 @@ +# file path relative to project root +input: + policy: samples/best_practices/disallow_latest_tag.yaml + resource: test/resources/pod_with_latest_tag.yaml +expected: + validation: + policyresponse: + policy: disallow-latest-tag + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: require-image-tag + type: Validation + success: true + - name: validate-image-tag + type: Validation + success: false diff --git a/test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml b/test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml new file mode 100644 index 0000000000..ae4e4847f0 --- /dev/null +++ b/test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml @@ -0,0 +1,20 @@ +# file path relative to project root +input: + policy: samples/best_practices/disallow_latest_tag.yaml + resource: test/resources/pod_with_version_tag.yaml +expected: + validation: + policyresponse: + policy: disallow-latest-tag + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: require-image-tag + type: Validation + success: true + - name: validate-image-tag + type: Validation + success: true diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml b/test/scenarios/samples/best_practices/disallow_new_capabilities.yaml similarity index 53% rename from test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml rename to test/scenarios/samples/best_practices/disallow_new_capabilities.yaml index 0e7a6e057a..7269e48af2 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml +++ b/test/scenarios/samples/best_practices/disallow_new_capabilities.yaml @@ -5,14 +5,13 @@ input: expected: validation: policyresponse: - policy: validate-new-capabilities + policy: disallow-new-capabilities resource: kind: Pod apiVersion: v1 namespace: '' name: "add-new-capabilities" rules: - - name: deny-new-capabilities + - name: validate-add-capabilities type: Validation - message: "Validation error: Capabilities cannot be added\nValidation rule deny-new-capabilities anyPattern[0] failed at path /spec/.\nValidation rule deny-new-capabilities anyPattern[1] failed at path /spec/containers/0/securityContext/capabilities/add/." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_priviledged.yaml b/test/scenarios/samples/best_practices/disallow_priviledged.yaml new file mode 100644 index 0000000000..06d0c203f4 --- /dev/null +++ b/test/scenarios/samples/best_practices/disallow_priviledged.yaml @@ -0,0 +1,20 @@ +# file path relative to project root +input: + policy: samples/best_practices/disallow_privileged.yaml + resource: test/resources/disallow_privileged.yaml +expected: + validation: + policyresponse: + policy: disallow-privileged + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: check-privileged-cfg + rules: + - name: validate-privileged + type: Validation + success: false + - name: validate-allowPrivilegeEscalation + type: Validation + success: false diff --git a/test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml b/test/scenarios/samples/best_practices/disallow_root_user.yaml similarity index 59% rename from test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml rename to test/scenarios/samples/best_practices/disallow_root_user.yaml index f06635771e..6d8186c66c 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml +++ b/test/scenarios/samples/best_practices/disallow_root_user.yaml @@ -1,19 +1,18 @@ # file path relative to project root input: - policy: samples/best_practices/deny_runasrootuser.yaml + policy: samples/best_practices/disallow_root_user.yaml resource: test/resources/deny_runasrootuser.yaml expected: validation: policyresponse: - policy: validate-deny-runasrootuser + policy: disallow-root-user resource: kind: Pod apiVersion: v1 namespace: '' name: check-root-user rules: - - name: deny-runasrootuser + - name: validate-runAsNonRoot type: Validation - message: "Validation rule 'deny-runasrootuser' anyPattern[1] succeeded." success: true diff --git a/test/scenarios/samples/best_practices/disallow_sysctls.yaml b/test/scenarios/samples/best_practices/disallow_sysctls.yaml new file mode 100644 index 0000000000..e62df0451c --- /dev/null +++ b/test/scenarios/samples/best_practices/disallow_sysctls.yaml @@ -0,0 +1,18 @@ + +# file path relative to project root +input: + policy: samples/best_practices/disallow_sysctls.yaml + resource: test/resources/resource_validate_sysctl_configs.yaml +expected: + validation: + policyresponse: + policy: disallow-sysctls + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: nginx + rules: + - name: validate-sysctls + type: Validation + success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml b/test/scenarios/samples/best_practices/require_pod_requests_limits.yaml similarity index 58% rename from test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml rename to test/scenarios/samples/best_practices/require_pod_requests_limits.yaml index c0be0d175f..31fa5d4df0 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml +++ b/test/scenarios/samples/best_practices/require_pod_requests_limits.yaml @@ -5,14 +5,13 @@ input: expected: validation: policyresponse: - policy: check-resource + policy: require-pod-requests-limits resource: kind: Pod apiVersion: v1 namespace: '' name: myapp-pod rules: - - name: check-resource-request-limit + - name: validate-resources type: Validation - message: "Validation error: CPU and memory resource requests and limits are required\nValidation rule 'check-resource-request-limit' failed at path '/spec/containers/0/resources/limits/cpu/'." success: false diff --git a/test/scenarios/samples/best_practices/scenario_validate_probes.yaml b/test/scenarios/samples/best_practices/require_probes.yaml similarity index 61% rename from test/scenarios/samples/best_practices/scenario_validate_probes.yaml rename to test/scenarios/samples/best_practices/require_probes.yaml index 85c82359ca..b3e799f542 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_probes.yaml +++ b/test/scenarios/samples/best_practices/require_probes.yaml @@ -5,14 +5,13 @@ input: expected: validation: policyresponse: - policy: validate-probes + policy: require-pod-probes resource: kind: Pod apiVersion: v1 namespace: '' name: myapp-pod rules: - - name: check-probes + - name: validate-livenessProbe-readinessProbe type: Validation - message: "Validation error: Liveness and readiness probes are required\nValidation rule 'check-probes' failed at path '/spec/containers/0/livenessProbe/'." success: false diff --git a/test/scenarios/samples/best_practices/require_ro_rootfs.yaml b/test/scenarios/samples/best_practices/require_ro_rootfs.yaml new file mode 100644 index 0000000000..0d2b898ebb --- /dev/null +++ b/test/scenarios/samples/best_practices/require_ro_rootfs.yaml @@ -0,0 +1,17 @@ +# file path relative to project root +input: + policy: samples/best_practices/require_ro_rootfs.yaml + resource: test/resources/require_readonly_rootfilesystem.yaml +expected: + validation: + policyresponse: + policy: require-ro-rootfs + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: "ghost-with-readonly-rootfilesystem" + rules: + - name: validate-readOnlyRootFilesystem + type: Validation + success: false diff --git a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml deleted file mode 100644 index 38d5bd1753..0000000000 --- a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# file path relative to project root -input: - policy: samples/best_practices/require_image_tag_not_latest.yaml - resource: test/resources/require_image_tag_not_latest_deny.yaml -expected: - validation: - policyresponse: - policy: validate-image-tag - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: myapp-pod - rules: - - name: image-tag-notspecified - type: Validation - message: "Validation rule 'image-tag-notspecified' succeeded." - success: true - - name: image-tag-not-latest - type: Validation - message: "Validation error: Using 'latest' image tag is restricted. Set image tag to a specific version\nValidation rule 'image-tag-not-latest' failed at path '/spec/containers/0/image/'." - success: false diff --git a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml deleted file mode 100644 index 0a1a30724a..0000000000 --- a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# file path relative to project root -input: - policy: samples/best_practices/require_image_tag_not_latest.yaml - resource: test/resources/resource_validate_image_tag_latest_pass.yaml -expected: - validation: - policyresponse: - policy: validate-image-tag - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: myapp-pod - rules: - - name: image-tag-notspecified - type: Validation - message: "Validation rule 'image-tag-notspecified' succeeded." - success: true - - name: image-tag-not-latest - type: Validation - message: "Validation rule 'image-tag-not-latest' succeeded." - success: true diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml deleted file mode 100644 index 02d26d95b0..0000000000 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# file path relative to project root -input: - policy: samples/best_practices/disallow_priviledged_priviligedescalation.yaml - resource: test/resources/disallow_priviledged_priviligedescalation.yaml -expected: - validation: - policyresponse: - policy: validate-deny-privileged-priviligedescalation - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: check-privileged-cfg - rules: - - name: deny-privileged-priviligedescalation - type: Validation - message: "Validation error: Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false\nValidation rule deny-privileged-priviligedescalation anyPattern[0] failed at path /spec/securityContext/.\nValidation rule deny-privileged-priviligedescalation anyPattern[1] failed at path /spec/containers/0/securityContext/allowPrivilegeEscalation/." - success: false - diff --git a/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml b/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml deleted file mode 100644 index f6b9331a51..0000000000 --- a/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# file path relative to project root -input: - policy: samples/best_practices/require_readonly_rootfilesystem.yaml - resource: test/resources/require_readonly_rootfilesystem.yaml -expected: - validation: - policyresponse: - policy: validate-readonly-rootfilesystem - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: "ghost-with-readonly-rootfilesystem" - rules: - - name: validate-readonly-rootfilesystem - type: Validation - message: "Validation error: Container require read-only rootfilesystem\nValidation rule 'validate-readonly-rootfilesystem' failed at path '/spec/containers/0/securityContext/readOnlyRootFilesystem/'." - success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml b/test/scenarios/samples/more/restrict_automount_sa_token.yaml similarity index 57% rename from test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml rename to test/scenarios/samples/more/restrict_automount_sa_token.yaml index 54031d382f..51eabaefff 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml +++ b/test/scenarios/samples/more/restrict_automount_sa_token.yaml @@ -1,18 +1,17 @@ # file path relative to project root input: - policy: samples/best_practices/disallow_automountingapicred.yaml + policy: samples/more/restrict_automount_sa_token.yaml resource: test/resources/disallow_automountingapicred.yaml expected: validation: policyresponse: - policy: validate-disallow-automoutingapicred + policy: restrict-automount-sa-token resource: kind: Pod apiVersion: v1 namespace: '' name: myapp-pod rules: - - name: disallow-automoutingapicred + - name: validate-automountServiceAccountToken type: Validation - message: Validation rule 'disallow-automoutingapicred' succeeded. success: true \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml b/test/scenarios/samples/more/restrict_image_registries.yaml similarity index 61% rename from test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml rename to test/scenarios/samples/more/restrict_image_registries.yaml index bb1b5d5dc1..13473f2b1c 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml +++ b/test/scenarios/samples/more/restrict_image_registries.yaml @@ -1,18 +1,17 @@ # file path relative to project root input: - policy: samples/best_practices/trusted_image_registries.yaml + policy: samples/more/restrict_image_registries.yaml resource: test/resources//trusted_image_registries.yaml expected: validation: policyresponse: - policy: trusted-registries + policy: restrict-image-registries resource: kind: Pod apiVersion: v1 namespace: '' name: k8s-nginx rules: - - name: trusted-registries + - name: validate-registries type: Validation - message: Validation rule 'trusted-registries' succeeded. success: true \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_known_ingress_class.yaml b/test/scenarios/samples/more/restrict_ingress_classes.yaml similarity index 64% rename from test/scenarios/samples/best_practices/scenario_validate_known_ingress_class.yaml rename to test/scenarios/samples/more/restrict_ingress_classes.yaml index a52149a6f1..19e6dcd1c3 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_known_ingress_class.yaml +++ b/test/scenarios/samples/more/restrict_ingress_classes.yaml @@ -1,18 +1,17 @@ # file path relative to project root input: - policy: samples/best_practices/known_ingress.yaml + policy: samples/more/restrict_ingress_classes.yaml resource: test/resources/ingress-nginx.yaml expected: validation: policyresponse: - policy: known-ingress + policy: restrict-ingress-classes resource: kind: Ingress apiVersion: v1 namespace: '' name: test-ingress rules: - - name: known-ingress + - name: validate-ingress type: Validation - message: Validation rule 'known-ingress' succeeded. success: true \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml b/test/scenarios/samples/more/restrict_node_port.yaml similarity index 50% rename from test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml rename to test/scenarios/samples/more/restrict_node_port.yaml index ce2e0883d0..3207a737e8 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml +++ b/test/scenarios/samples/more/restrict_node_port.yaml @@ -1,17 +1,16 @@ input: - policy: samples/best_practices/disallow_node_port.yaml + policy: samples/more/restrict_node_port.yaml resource: test/resources/disallow_node_port.yaml expected: validation: policyresponse: - policy: disallow-node-port + policy: restrict-nodeport resource: kind: Service apiVersion: v1 namespace: '' name: "my-service" rules: - - name: disallow-node-port + - name: validate-nodeport type: Validation - message: "Validation error: Disallow service of type NodePort\nValidation rule 'disallow-node-port' failed at path '/spec/type/'." success: false \ No newline at end of file diff --git a/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml b/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml deleted file mode 100644 index cfbdd45ded..0000000000 --- a/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml +++ /dev/null @@ -1,19 +0,0 @@ - -# file path relative to project root -input: - policy: samples/more/policy_validate_container_capabilities.yaml - resource: test/resources/resource_validate_container_capabilities.yaml -expected: - validation: - policyresponse: - policy: validate-container-capablities - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: add-capabilities - rules: - - name: validate-container-capablities - type: Validation - message: "Validation error: Allow certain linux capability\nValidation rule 'validate-container-capablities' failed at path '/spec/containers/0/securityContext/capabilities/add/0/'." - success: false \ No newline at end of file diff --git a/test/scenarios/samples/more/scenario_validate_fsgroup.yaml b/test/scenarios/samples/more/scenario_validate_fsgroup.yaml deleted file mode 100644 index 6c32043c81..0000000000 --- a/test/scenarios/samples/more/scenario_validate_fsgroup.yaml +++ /dev/null @@ -1,27 +0,0 @@ - -# file path relative to project root -input: - policy: samples/more/policy_validate_user_group_fsgroup_id.yaml - resource: test/resources/resource_validate_fsgroup.yaml -expected: - validation: - policyresponse: - policy: validate-userid-groupid-fsgroup - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: fsgroup-demo - rules: - - name: validate-userid - type: Validation - message: Validation rule 'validate-userid' succeeded. - success: true - - name: validate-groupid - type: Validation - message: Validation rule 'validate-groupid' succeeded. - success: true - - name: validate-fsgroup - type: Validation - message: Validation rule 'validate-fsgroup' succeeded. - success: true diff --git a/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml b/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml deleted file mode 100644 index 36b780324d..0000000000 --- a/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml +++ /dev/null @@ -1,19 +0,0 @@ - -# file path relative to project root -input: - policy: samples/more/policy_validate_sysctl_configs.yaml - resource: test/resources/resource_validate_sysctl_configs.yaml -expected: - validation: - policyresponse: - policy: validate-allow-portrange-with-sysctl - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: nginx - rules: - - name: allow-portrange-with-sysctl - type: Validation - message: "Validation error: Allowed port range is from 1024 to 65535\nValidation rule 'allow-portrange-with-sysctl' failed at path '/spec/securityContext/sysctls/0/value/'." - success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_unknown_ingress_class.yaml b/test/scenarios/samples/more/unknown_ingress_class.yaml similarity index 53% rename from test/scenarios/samples/best_practices/scenario_validate_unknown_ingress_class.yaml rename to test/scenarios/samples/more/unknown_ingress_class.yaml index a479a40a2e..8257eeaccd 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_unknown_ingress_class.yaml +++ b/test/scenarios/samples/more/unknown_ingress_class.yaml @@ -1,18 +1,17 @@ # file path relative to project root input: - policy: samples/best_practices/known_ingress.yaml + policy: samples/more/restrict_ingress_classes.yaml resource: test/resources/ingress-haproxy.yaml expected: validation: policyresponse: - policy: known-ingress + policy: restrict-ingress-classes resource: kind: Ingress apiVersion: v1 namespace: '' name: test-ingress rules: - - name: known-ingress + - name: validate-ingress type: Validation - message: "Validation error: Unknown ingress class\nValidation rule 'known-ingress' failed at path '/metadata/annotations/kubernetes.io/ingress.class/'." success: false \ No newline at end of file