mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity

update documentation

Browse source
This commit is contained in:
shivkumar dudhani 2019-12-10 09:51:15 -08:00
parent ee20fcd4a0
commit 4894577ba1
19 changed files with 105 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
samples/AddDefaultNetworkPolicy.md
View file

@ -15,7 +15,7 @@ metadata:
name: add-networkpolicy
spec:
rules:
- name: "default-deny-ingress"
- name: default-deny-ingress
match:
resources:
kinds:

4
samples/AddNamespaceQuotas.md
View file

@ -24,7 +24,7 @@ spec:
- Namespace
generate:
kind: ResourceQuota
name: "default-resourcequota"
name: default-resourcequota
data:
spec:
hard:
@ -39,7 +39,7 @@ spec:
- Namespace
generate:
kind: LimitRange
name: "default-limitrange"
name: default-limitrange
data:
spec:
limits:

13
samples/AddSafeToEvict.md
View file

@ -13,17 +13,17 @@ This policy matches and mutates pods with `emptyDir` and `hostPath` volumes, to
[add_safe_to_evict_annotation.yaml](best_practices/add_safe_to_evict.yaml)
````yaml
apiVersion: "kyverno.io/v1"
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "add-safe-to-evict"
name: add-safe-to-evict
spec:
rules:
- name: "annotate-empty-dir"
match:
resources:
kinds:
- "Pod"
- Pod
mutate:
overlay:
metadata:
@ -32,11 +32,11 @@ spec:
spec:
volumes:
- (emptyDir): {}
- name: "annotate-host-path"
- name: annotate-host-path
match:
resources:
kinds:
- "Pod"
- Pod
mutate:
overlay:
metadata:
@ -47,5 +47,4 @@ spec:
- (hostPath):
path: "*"
````
````

8
samples/CheckUserGroup.md
View file

@ -4,7 +4,7 @@ All processes inside the pod can be made to run with specific user and groupID b
## Policy YAML
[policy_validate_user_group_fsgroup_id.yaml](more/policy_validate_user_group_fsgroup_id.yaml)
[policy_validate_user_group_fsgroup_id.yaml](more/restrict_usergroup_fsgroup_id.yaml)
````yaml
apiVersion: kyverno.io/v1
@ -46,8 +46,4 @@ spec:
spec:
securityContext:
fsGroup: '2000'
# Alls processes inside the pod can be made to run with specific user and groupID by setting runAsUser and runAsGroup respectively.
# fsGroup can be specified to make sure any file created in the volume with have the specified groupID.
# The above parameters can also be used in a validate policy to restrict user & group IDs.
````
````

8
samples/DisallowBindMounts.md
View file

@ -7,17 +7,17 @@ The volume of type `hostPath` allows pods to use host bind mounts (i.e. director
[disallow_bind_mounts.yaml](best_practices/disallow_bind_mounts.yaml)
````yaml
apiVersion: "kyverno.io/v1"
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "disallow-bind-mounts"
name: disallow-bind-mounts
spec:
rules:
- name: "validate-hostPath"
- name: validate-hostPath
match:
resources:
kinds:
- "Pod"
- Pod
validate:
message: "Host path volumes are not allowed"
pattern:

4
samples/DisallowDockerSockMount.md
View file

@ -25,6 +25,6 @@ spec:
pattern:
spec:
=(volumes):
=(hostPath):
path: "!/var/run/docker.sock"
- =(hostPath):
path: "!/var/run/docker.sock"
````

20
samples/DisallowHostNetworkPort.md
View file

@ -15,18 +15,28 @@ metadata:
name: disallow-host-network-port
spec:
rules:
- name: validate-host-network-port
- name: validate-host-network
match:
resources:
kinds:
- Pod
validate:
message: "Using host networking is not allowed"
message: "Use of hostNetwork is not allowed"
pattern:
spec:
=(hostNetwork): false
- name: validate-host-port
match:
resources:
kinds:
- Pod
validate:
message: "Use of hostPort is not allowed"
pattern:
spec:
(hostNetwork): false
containers:
- name: "*"
ports:
- hostPort: null
=(ports):
- X(hostPort): null
````

4
samples/DisallowLatestTag.md
View file

@ -14,7 +14,7 @@ metadata:
name: disallow-latest-tag
spec:
rules:
- name: require-tag
- name: require-image-tag
match:
resources:
kinds:
@ -25,7 +25,7 @@ spec:
spec:
containers:
- image: "*:*"
- name: validate-tag
- name: validate-image-tag
match:
resources:
kinds:

3
samples/DisallowRootUser.md
View file

@ -15,7 +15,6 @@ apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-root-user
annotations:
spec:
rules:
- name: validate-runAsNonRoot
@ -24,7 +23,7 @@ spec:
kinds:
- Pod
validate:
message: "Root user is not allowed. Set runAsNonRoot to true"
message: "Running as root user is not allowed. Set runAsNonRoot to true"
anyPattern:
- spec:
securityContext:

1
samples/README.md
View file

@ -34,6 +34,7 @@ These policies provide additional best practices and are worthy of close conside
18. [Restrict `NodePort` services](RestrictNodePort.md)
19. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md)
20. [Restrict ingress classes](RestrictIngressClasses.md)
21. [Restrict User Group](CheckUserGroup.md)
## Applying the sample policies

1
samples/RequirePodRequestsLimits.md
View file

@ -14,7 +14,6 @@ kind: ClusterPolicy
metadata:
name: require-pod-requests-limits
spec:
validationFailureAction: "audit"
rules:
- name: validate-resources
match:

2
samples/RestrictAutomountSAToken.md
View file

@ -19,7 +19,7 @@ spec:
kinds:
- Pod
validate:
message: "Deny automounting API credentials"
message: "Auto-mounting of Service Account tokens is not allowed"
pattern:
spec:
automountServiceAccountToken: false

9
samples/RestrictNodePort.md
View file

@ -15,19 +15,18 @@ Although NodePort services can be useful, their use should be limited to service
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-node-port
name: restrict-nodeport
spec:
rules:
- name: validate-node-port
- name: validate-nodeport
match:
resources:
kinds:
- Service
validate:
message: "Service of type NodePort is not allowed"
message: "Services of type NodePort are not allowed"
pattern:
spec:
type: "!NodePort"
````
````

2
samples/best_practices/add_network_policy.yaml
View file

@ -12,7 +12,7 @@ metadata:
desired traffic to application pods from select sources.
spec:
rules:
- name: "default-deny-ingress"
- name: default-deny-ingress
match:
resources:
kinds:

4
samples/best_practices/add_ns_quota.yaml
View file

@ -16,7 +16,7 @@ spec:
- Namespace
generate:
kind: ResourceQuota
name: "default-resourcequota"
name: default-resourcequota
data:
spec:
hard:
@ -31,7 +31,7 @@ spec:
- Namespace
generate:
kind: LimitRange
name: "default-limitrange"
name: default-limitrange
data:
spec:
limits:

18
samples/best_practices/add_safe_to_evict.yaml
View file

@ -1,7 +1,7 @@
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "add-safe-to-evict"
name: add-safe-to-evict
annotations:
policies.kyverno.io/category: Workload Management
policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict pods that
@ -9,29 +9,29 @@ metadata:
cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
spec:
rules:
- name: "annotate-empty-dir"
- name: annotate-empty-dir
match:
resources:
kinds:
- "Pod"
- Pod
mutate:
overlay:
metadata:
annotations:
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
+(cluster-autoscaler.kubernetes.io/safe-to-evict): true
spec:
volumes:
- (emptyDir): {}
- name: "annotate-host-path"
- name: annotate-host-path
match:
resources:
kinds:
- "Pod"
- Pod
mutate:
overlay:
metadata:
annotations:
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
+(cluster-autoscaler.kubernetes.io/safe-to-evict): true
spec:
volumes:
- (hostPath):

10
samples/best_practices/disallow_bind_mounts.yaml
View file

@ -1,7 +1,7 @@
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "disallow-bind-mounts"
name: disallow-bind-mounts
annotations:
policies.kyverno.io/category: Workload Isolation
policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind
@ -13,11 +13,11 @@ metadata:
spec:
rules:
- name: "validate-hostPath"
- name: validate-hostPath
match:
resources:
kinds:
- "Pod"
- Pod
validate:
message: "Host path volumes are not allowed"
pattern:

3
samples/best_practices/disallow_helm_tiller.yaml
View file

@ -4,7 +4,8 @@ metadata:
name: disallow-helm-tiller
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description:
policies.kyverno.io/description: Tiller has known security challenges. It requires adminstrative privileges and acts as a shared
resource accessible to any authenticated user. Tiller can lead to privilge escalation as restricted users can impact other users.
spec:
rules:
- name: validate-helm-tiller

45
samples/more/restrict_usergroup_fsgroup_id.yaml Normal file
View file

@ -0,0 +1,45 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: validate-userid-groupid-fsgroup
annotations:
policies.kyverno.io/category: Security Context
policies.kyverno.io/description: All processes inside the pod can be made to run with specific user
and groupID by setting 'runAsUser' and 'runAsGroup' respectively. 'fsGroup' can be specified
to make sure any file created in the volume with have the specified groupID. These options can be
used to validate the IDs used for user and group.
spec:
rules:
- name: validate-userid
match:
resources:
kinds:
- Pod
validate:
message: "User ID should be 1000"
pattern:
spec:
securityContext:
runAsUser: '1000'
- name: validate-groupid
match:
resources:
kinds:
- Pod
validate:
message: "Group ID should be 3000"
pattern:
spec:
securityContext:
runAsGroup: '3000'
- name: validate-fsgroup
match:
resources:
kinds:
- Pod
validate:
message: "fsgroup should be 2000"
pattern:
spec:
securityContext:
fsGroup: '2000'