update documentation

2025-03-14 19:58:45 +00:00 · 2019-12-10 09:51:15 -08:00 · 2019-12-10 09:51:15 -08:00 · 4894577ba1
commit 4894577ba1
parent ee20fcd4a0
19 changed files with 105 additions and 56 deletions
--- a/samples/AddDefaultNetworkPolicy.md
+++ b/samples/AddDefaultNetworkPolicy.md
@ -15,7 +15,7 @@ metadata:
  name: add-networkpolicy
 spec:
  rules:
-  - name: "default-deny-ingress"
+  - name: default-deny-ingress
    match:
      resources: 
        kinds:
--- a/samples/AddNamespaceQuotas.md
+++ b/samples/AddNamespaceQuotas.md
@ -24,7 +24,7 @@ spec:
        - Namespace
    generate:
      kind: ResourceQuota
-      name: "default-resourcequota"
+      name: default-resourcequota
      data:
        spec:
          hard:
@ -39,7 +39,7 @@ spec:
        - Namespace
    generate:
      kind: LimitRange
-      name: "default-limitrange"
+      name: default-limitrange
      data:
        spec:
          limits:
--- a/samples/AddSafeToEvict.md
+++ b/samples/AddSafeToEvict.md
@ -13,17 +13,17 @@ This policy matches and mutates pods with `emptyDir` and `hostPath` volumes, to
 [add_safe_to_evict_annotation.yaml](best_practices/add_safe_to_evict.yaml)
 ````yaml
-apiVersion: "kyverno.io/v1"
+apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata: 
-  name: "add-safe-to-evict"
+  name: add-safe-to-evict
 spec: 
  rules: 
  - name: "annotate-empty-dir"
    match: 
      resources: 
        kinds: 
-        - "Pod"
+        - Pod
    mutate: 
      overlay:
        metadata:
@ -32,11 +32,11 @@ spec:
        spec:          
          volumes: 
          - (emptyDir): {}
-  - name: "annotate-host-path"
+  - name: annotate-host-path
    match: 
      resources: 
        kinds: 
-        - "Pod"
+        - Pod
    mutate: 
      overlay:
        metadata:
@ -47,5 +47,4 @@ spec:
          - (hostPath):
              path: "*"
-````
+````
--- a/samples/CheckUserGroup.md
+++ b/samples/CheckUserGroup.md
@ -4,7 +4,7 @@ All processes inside the pod can be made to run with specific user and groupID b
 ## Policy YAML 
-[policy_validate_user_group_fsgroup_id.yaml](more/policy_validate_user_group_fsgroup_id.yaml)
+[policy_validate_user_group_fsgroup_id.yaml](more/restrict_usergroup_fsgroup_id.yaml)
 ````yaml
 apiVersion: kyverno.io/v1
@ -46,8 +46,4 @@ spec:
        spec:
          securityContext:
            fsGroup: '2000'
-# Alls processes inside the pod can be made to run with specific user and groupID by setting runAsUser and runAsGroup respectively.
+````
 # fsGroup can be specified to make sure any file created in the volume with have the specified groupID.
 # The above parameters can also be used in a validate policy to restrict user & group IDs.
 ````
--- a/samples/DisallowBindMounts.md
+++ b/samples/DisallowBindMounts.md
@ -7,17 +7,17 @@ The volume of type `hostPath` allows pods to use host bind mounts (i.e. director
 [disallow_bind_mounts.yaml](best_practices/disallow_bind_mounts.yaml) 
 ````yaml
-apiVersion: "kyverno.io/v1"
+apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata: 
-  name: "disallow-bind-mounts"
+  name: disallow-bind-mounts
 spec: 
  rules: 
-  - name: "validate-hostPath"
+  - name: validate-hostPath
    match: 
      resources: 
        kinds: 
-        - "Pod"
+        - Pod
    validate: 
      message: "Host path volumes are not allowed"
      pattern: 
--- a/samples/DisallowDockerSockMount.md
+++ b/samples/DisallowDockerSockMount.md
@ -25,6 +25,6 @@ spec:
      pattern:
        spec:
          =(volumes):
-            =(hostPath):
+            - =(hostPath):
-              path: "!/var/run/docker.sock"
+                path: "!/var/run/docker.sock"
 ````
--- a/samples/DisallowHostNetworkPort.md
+++ b/samples/DisallowHostNetworkPort.md
@ -15,18 +15,28 @@ metadata:
  name: disallow-host-network-port
 spec:
  rules:
-  - name: validate-host-network-port
+  - name: validate-host-network
    match:
      resources:
        kinds:
        - Pod
    validate:
-      message: "Using host networking is not allowed"
+      message: "Use of hostNetwork is not allowed"
      pattern:
        spec:
          =(hostNetwork): false
  - name: validate-host-port
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Use of hostPort is not allowed"
      pattern:
        spec:
          (hostNetwork): false
          containers:
          - name: "*"
-            ports:
+            =(ports):
-            - hostPort: null
+              - X(hostPort): null
 ````
--- a/samples/DisallowLatestTag.md
+++ b/samples/DisallowLatestTag.md
@ -14,7 +14,7 @@ metadata:
  name: disallow-latest-tag
 spec:
  rules:
-  - name: require-tag
+  - name: require-image-tag
    match:
      resources:
        kinds:
@ -25,7 +25,7 @@ spec:
        spec:
          containers:
          - image: "*:*"
-  - name: validate-tag
+  - name: validate-image-tag
    match:
      resources:
        kinds:
--- a/samples/DisallowRootUser.md
+++ b/samples/DisallowRootUser.md
@ -15,7 +15,6 @@ apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: disallow-root-user
  annotations:
 spec:
  rules:
  - name: validate-runAsNonRoot
@ -24,7 +23,7 @@ spec:
        kinds:
        - Pod
    validate:
-      message: "Root user is not allowed. Set runAsNonRoot to true"
+      message: "Running as root user is not allowed. Set runAsNonRoot to true"
      anyPattern:
      - spec:
          securityContext:
--- a/samples/README.md
+++ b/samples/README.md
@ -34,6 +34,7 @@ These policies provide additional best practices and are worthy of close conside
 18. [Restrict `NodePort` services](RestrictNodePort.md)
 19. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md)
 20. [Restrict ingress classes](RestrictIngressClasses.md)
 21. [Restrict User Group](CheckUserGroup.md)
 ## Applying the sample policies
--- a/samples/RequirePodRequestsLimits.md
+++ b/samples/RequirePodRequestsLimits.md
@ -14,7 +14,6 @@ kind: ClusterPolicy
 metadata:
  name: require-pod-requests-limits
 spec:
  validationFailureAction: "audit"
  rules:
  - name: validate-resources
    match:
--- a/samples/RestrictAutomountSAToken.md
+++ b/samples/RestrictAutomountSAToken.md
@ -19,7 +19,7 @@ spec:
        kinds:
        - Pod
    validate:
-      message: "Deny automounting API credentials"
+      message: "Auto-mounting of Service Account tokens is not allowed"
      pattern:
        spec:
          automountServiceAccountToken: false
--- a/samples/RestrictNodePort.md
+++ b/samples/RestrictNodePort.md
@ -15,19 +15,18 @@ Although NodePort services can be useful, their use should be limited to service
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: restrict-node-port
+  name: restrict-nodeport
 spec:
  rules:
-  - name: validate-node-port
+  - name: validate-nodeport
    match:
      resources:
        kinds:
        - Service
    validate:
-      message: "Service of type NodePort is not allowed"
+      message: "Services of type NodePort are not allowed"
      pattern: 
        spec:
          type: "!NodePort"
-````
+````
--- a/samples/best_practices/add_network_policy.yaml
+++ b/samples/best_practices/add_network_policy.yaml
@ -12,7 +12,7 @@ metadata:
      desired traffic to application pods from select sources.
 spec:
  rules:
-  - name: "default-deny-ingress"
+  - name: default-deny-ingress
    match:
      resources: 
        kinds:
--- a/samples/best_practices/add_ns_quota.yaml
+++ b/samples/best_practices/add_ns_quota.yaml
@ -16,7 +16,7 @@ spec:
        - Namespace
    generate:
      kind: ResourceQuota
-      name: "default-resourcequota"
+      name: default-resourcequota
      data:
        spec:
          hard:
@ -31,7 +31,7 @@ spec:
        - Namespace
    generate:
      kind: LimitRange
-      name: "default-limitrange"
+      name: default-limitrange
      data:
        spec:
          limits:
--- a/samples/best_practices/add_safe_to_evict.yaml
+++ b/samples/best_practices/add_safe_to_evict.yaml
@ -1,7 +1,7 @@
-apiVersion: "kyverno.io/v1"
+apiVersion: kyverno.io/v1
-kind: "ClusterPolicy"
+kind: ClusterPolicy
 metadata: 
-  name: "add-safe-to-evict"
+  name: add-safe-to-evict
  annotations:
    policies.kyverno.io/category: Workload Management
    policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict pods that 
@ -9,29 +9,29 @@ metadata:
      cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods. 
 spec: 
  rules: 
-  - name: "annotate-empty-dir"
+  - name: annotate-empty-dir
    match: 
      resources: 
        kinds: 
-        - "Pod"
+        - Pod
    mutate: 
      overlay:
        metadata:
          annotations:
-            +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
+            +(cluster-autoscaler.kubernetes.io/safe-to-evict): true
        spec:          
          volumes: 
          - (emptyDir): {}
-  - name: "annotate-host-path"
+  - name: annotate-host-path
    match: 
      resources: 
        kinds: 
-        - "Pod"
+        - Pod
    mutate: 
      overlay:
        metadata:
          annotations:
-            +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
+            +(cluster-autoscaler.kubernetes.io/safe-to-evict): true
        spec:          
          volumes: 
          - (hostPath):
--- a/samples/best_practices/disallow_bind_mounts.yaml
+++ b/samples/best_practices/disallow_bind_mounts.yaml
@ -1,7 +1,7 @@
-apiVersion: "kyverno.io/v1"
+apiVersion: kyverno.io/v1
-kind: "ClusterPolicy"
+kind: ClusterPolicy
 metadata: 
-  name: "disallow-bind-mounts"
+  name: disallow-bind-mounts
  annotations:
    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind 
@ -13,11 +13,11 @@ metadata:
 spec: 
  rules: 
-  - name: "validate-hostPath"
+  - name: validate-hostPath
    match: 
      resources: 
        kinds: 
-        - "Pod"
+        - Pod
    validate: 
      message: "Host path volumes are not allowed"
      pattern: 
--- a/samples/best_practices/disallow_helm_tiller.yaml
+++ b/samples/best_practices/disallow_helm_tiller.yaml
@ -4,7 +4,8 @@ metadata:
  name: disallow-helm-tiller
  annotations:
    policies.kyverno.io/category: Security
-    policies.kyverno.io/description: 
+    policies.kyverno.io/description: Tiller has known security challenges. It requires adminstrative privileges and acts as a shared 
    resource accessible to any authenticated user. Tiller can lead to privilge escalation as restricted users can impact other users.
 spec:
  rules:
  - name: validate-helm-tiller
--- a/samples/more/restrict_usergroup_fsgroup_id.yaml
+++ b/samples/more/restrict_usergroup_fsgroup_id.yaml
@ -0,0 +1,45 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: validate-userid-groupid-fsgroup
  annotations:
    policies.kyverno.io/category: Security Context
    policies.kyverno.io/description: All processes inside the pod can be made to run with specific user 
      and groupID by setting 'runAsUser' and 'runAsGroup' respectively. 'fsGroup' can be specified 
      to make sure any file created in the volume with have the specified groupID. These options can be 
      used to validate the IDs used for user and group.
 spec:
  rules:
  - name: validate-userid
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "User ID should be 1000"
      pattern:
        spec:
          securityContext:
            runAsUser: '1000'
  - name: validate-groupid
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Group ID should be 3000"
      pattern:
        spec:
          securityContext:
            runAsGroup: '3000'
  - name: validate-fsgroup
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "fsgroup should be 2000"
      pattern:
        spec:
          securityContext:
            fsGroup: '2000'