mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-04-15 16:56:56 +00:00
Code Activity

Update kyverno-policies chart with latest pod-security policies (#3126)

Browse source 
* Update kyverno-policies chart with latest pod-security policies
Fixes #3063
Fixes #2277

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Update README to have better example

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use chart testing during e2e to test against ci values

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Fix e2e tests for Helm chart

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Fix Kyverno chart testing to actually test values, and fix networkpolicy template

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Update README for exclusion

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Allow adding 'other' policies via Helm

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Update Chart.yaml for kyverno-policies

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Bump minimum Kubernetes version in charts

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Update kyverno-policies chart readme

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use version that should catch all pre-releases

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use version that should catch all pre-releases (part 2)

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use same logic to get git tag by using Makefile target for updating Helm values

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
This commit is contained in:
treydock 2022-02-04 01:47:36 -05:00 committed by GitHub
parent 4445780c7c
commit 4e0d8ca612
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
41 changed files with 1195 additions and 804 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.github/workflows/e2e.yaml vendored
View file

@ -111,10 +111,7 @@ jobs:
- name: Update chart values
run: |
sed -i -e "s|nameOverride:.*|nameOverride: kyverno|g" charts/kyverno/values.yaml
sed -i -e "s|fullnameOverride:.*|fullnameOverride: kyverno|g" charts/kyverno/values.yaml
sed -i -e "s|namespace:.*|namespace: kyverno|g" charts/kyverno/values.yaml
sed -i -e "s|tag:.*|tag: $(git describe --tag)|" charts/kyverno/values.yaml
make helm-test-values
cat charts/kyverno/values.yaml
- name: Run chart-testing (install)
@ -125,7 +122,7 @@ jobs:
- name: Run chart-testing (policies)
run: |
helm install kyverno charts/kyverno -n kyverno
ct install --target-branch=main --namespace=kyverno --charts charts/kyverno-policies
ct install --target-branch=main --namespace=kyverno --charts charts/kyverno-policies
- name: Debug failure
if: failure()

6
Makefile
View file

@ -251,6 +251,12 @@ test-e2e-local:
kill $!
$(eval export E2E="")
helm-test-values:
sed -i -e "s|nameOverride:.*|nameOverride: kyverno|g" charts/kyverno/values.yaml
sed -i -e "s|fullnameOverride:.*|fullnameOverride: kyverno|g" charts/kyverno/values.yaml
sed -i -e "s|namespace:.*|namespace: kyverno|g" charts/kyverno/values.yaml
sed -i -e "s|tag:.*|tag: $(GIT_VERSION_DEV)|" charts/kyverno/values.yaml
# godownloader create downloading script for kyverno-cli
godownloader:
godownloader .goreleaser.yml --repo kyverno/kyverno -o ./scripts/install-cli.sh --source="raw"

8
charts/kyverno-policies/Chart.yaml
View file

@ -3,18 +3,18 @@ name: kyverno-policies
version: v2.2.0-rc2
appVersion: v1.6.0-rc2
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kubernetes Native Policy Management Policies
description: Kubernetes Pod Security Standards implemented as Kyverno policies
keywords:
- kubernetes
- nirmata
- policy agent
- validating webhook
- admissions controller
home: https://kyverno.io/
home: https://kyverno.io/policies/
sources:
- https://github.com/kyverno/kyverno
- https://github.com/kyverno/policies
maintainers:
- name: Nirmata
url: https://kyverno.io/
engine: gotpl
kubeVersion: ">=1.10.0-0"
kubeVersion: ">=1.16.0-0"

39
charts/kyverno-policies/README.md
View file

@ -1,6 +1,41 @@
# Kyverno Policies
## TL;DR
## About
This chart contains Kyverno's implementation of the Kubernetes Pod Security Standards (PSS) as documented at https://kubernetes.io/docs/concepts/security/pod-security-standards/ and are a Helm packaged version of those found at https://github.com/kyverno/policies/tree/main/pod-security. The goal of the PSS controls is to provide a good starting point for general Kubernetes cluster operational security. These controls are broken down into two categories, Baseline and Restricted. Baseline policies implement the most basic of Pod security controls while Restricted implements more strict controls. Restricted is cumulative and encompasses those listed in Baseline.
The following policies are included in each profile.
**Baseline**
* disallow-capabilities
* disallow-host-namespaces
* disallow-host-path
* disallow-host-ports
* disallow-host-process
* disallow-privileged-containers
* disallow-proc-mount
* disallow-selinux
* restrict-apparmor-profiles
* restrict-seccomp
* restrict-sysctls
**Restricted**
* disallow-capabilities-strict
* disallow-privilege-escalation
* require-run-as-non-root-user
* require-run-as-nonroot
* restrict-seccomp-strict
* restrict-volume-types
An additional policy "require-non-root-groups" is included in an `other` group as this was previously included in the official PSS controls but since removed.
For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security.
## TL;DR Instructions
These PSS policies presently have a minimum requirement of Kyverno 1.6.0.
```console
## Add the Kyverno Helm repository
@ -26,9 +61,11 @@ The following table lists the configurable parameters of the kyverno chart and t
| Parameter | Description | Default |
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `includeOtherPolicies` | Additional policies to include from `other` directory | `[]` |
| `podSecurityStandard` | set desired pod security level `privileged`, `baseline`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `baseline` |
| `podSecuritySeverity` | set desired pod security severity `low`, `medium`, `high`. Used severity level in PolicyReportResults for the selected pod security policies. | `medium` |
| `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` |
| `policyExclude` | Exclude resources from individual policies | `{}` |
| `validationFailureAction` | set to get response in failed validation check. Supported values are `audit` and `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

25
charts/kyverno-policies/ci/test-rule-values.yaml Normal file
View file

@ -0,0 +1,25 @@
podSecurityStandard: restricted
includeOtherPolicies:
- require-non-root-groups
policyExclude:
disallow-host-path:
any:
- resources:
kinds:
- Pod
namespaces:
- fluent
require-non-root-groups:
any:
- resources:
kinds:
- Pod
namespaces:
- fluent
check-runasgroup:
any:
- resources:
kinds:
- Pod
namespaces:
- kube-system

18
charts/kyverno-policies/ci/test-values.yaml Normal file
View file

@ -0,0 +1,18 @@
podSecurityStandard: restricted
includeOtherPolicies:
- require-non-root-groups
policyExclude:
disallow-host-path:
any:
- resources:
kinds:
- Pod
namespaces:
- fluent
require-non-root-groups:
any:
- resources:
kinds:
- Pod
namespaces:
- fluent

32
charts/kyverno-policies/templates/_helpers.tpl
View file

@ -44,3 +44,35 @@ helm.sh/chart: {{ template "kyverno-policies.chart" . }}
{{- false }}
{{- end -}}
{{- end -}}
{{/* Set if a other policies are managed */}}
{{- define "kyverno-policies.podSecurityOther" -}}
{{- if has .name .Values.includeOtherPolicies }}
{{- true }}
{{- else -}}
{{- false }}
{{- end -}}
{{- end -}}
{{/* Get deployed Kyverno version from Kubernetes */}}
{{- define "kyverno-policies.kyvernoVersion" -}}
{{- $version := "" -}}
{{- with (lookup "apps/v1" "Deployment" .Release.Namespace "kyverno") -}}
{{- with (first .spec.template.spec.containers) -}}
{{- $imageTag := (split ":" .image)._1 -}}
{{- $version = trimPrefix "v" $imageTag -}}
{{- end -}}
{{- end -}}
{{ $version }}
{{- end -}}
{{/* Fail if deployed Kyverno does not match */}}
{{- define "kyverno-policies.supportedKyvernoCheck" -}}
{{- $supportedKyverno := index . "ver" -}}
{{- $top := index . "top" }}
{{- if (include "kyverno-policies.kyvernoVersion" $top) -}}
{{- if not ( semverCompare $supportedKyverno (include "kyverno-policies.kyvernoVersion" $top) ) -}}
{{- fail (printf "Kyverno version is too low, expected %s" $supportedKyverno) -}}
{{- end -}}
{{- end -}}
{{- end -}}

58
charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml Normal file
View file

@ -0,0 +1,58 @@
{{- $name := "disallow-capabilities" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
{{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow Capabilities
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Adding capabilities beyond those listed in the policy must be disallowed.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: adding-capabilities
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
are disallowed.
deny:
conditions:
all:
- key: "{{`{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}`}}"
operator: AnyNotIn
value:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
{{- end }}

44
charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml Normal file
View file

@ -0,0 +1,44 @@
{{- $name := "disallow-host-namespaces" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow Host Namespaces
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
network namespace) allow access to shared information and can be used to elevate
privileges. Pods should not be allowed access to host namespaces. This policy ensures
fields which make use of these host namespaces are unset or set to `false`.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: host-namespaces
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
spec.hostIPC, and spec.hostPID must be unset or set to `false`.
pattern:
spec:
=(hostPID): "false"
=(hostIPC): "false"
=(hostNetwork): "false"
{{- end }}

41
charts/kyverno-policies/templates/baseline/disallow-host-path.yaml Normal file
View file

@ -0,0 +1,41 @@
{{- $name := "disallow-host-path" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow hostPath
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod,Volume
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
HostPath volumes let Pods use host directories and volumes in containers.
Using host resources can be used to access shared data or escalate privileges
and should not be allowed. This policy ensures no hostPath volumes are in use.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: host-path
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
pattern:
spec:
=(volumes):
- X(hostPath): "null"
{{- end }}

50
charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml Normal file
View file

@ -0,0 +1,50 @@
{{- $name := "disallow-host-ports" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow hostPorts
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
Access to host ports allows potential snooping of network traffic and should not be
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
field is unset or set to `0`.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: host-ports-none
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
, spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
must either be unset or set to `0`.
pattern:
spec:
=(ephemeralContainers):
- =(ports):
- =(hostPort): 0
=(initContainers):
- =(ports):
- =(hostPort): 0
containers:
- =(ports):
- =(hostPort): 0
{{- end }}

55
charts/kyverno-policies/templates/baseline/disallow-host-process.yaml Normal file
View file

@ -0,0 +1,55 @@
{{- $name := "disallow-host-process" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow hostProcess
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
Windows pods offer the ability to run HostProcess containers which enables privileged
access to the Windows node. Privileged access to the host is disallowed in the baseline
policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures
the `hostProcess` field, if present, is set to `false`.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: host-process-containers
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess,
and spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined
or set to `false`.
pattern:
spec:
=(ephemeralContainers):
- =(securityContext):
=(windowsOptions):
=(hostProcess): "false"
=(initContainers):
- =(securityContext):
=(windowsOptions):
=(hostProcess): "false"
containers:
- =(securityContext):
=(windowsOptions):
=(hostProcess): "false"
{{- end }}

48
charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml Normal file
View file

@ -0,0 +1,48 @@
{{- $name := "disallow-privileged-containers" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow Privileged Containers
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
Privileged mode disables most security mechanisms and must not be allowed. This policy
ensures Pods do not call for privileged mode.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: privileged-containers
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
and spec.initContainers[*].securityContext.privileged must be unset or set to `false`.
pattern:
spec:
=(ephemeralContainers):
- =(securityContext):
=(privileged): "false"
=(initContainers):
- =(securityContext):
=(privileged): "false"
containers:
- =(securityContext):
=(privileged): "false"
{{- end }}

52
charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml Normal file
View file

@ -0,0 +1,52 @@
{{- $name := "disallow-proc-mount" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow procMount
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
The default /proc masks are set up to reduce attack surface and should be required. This policy
ensures nothing but the default procMount can be specified. Note that in order for users
to deviate from the `Default` procMount requires setting a feature gate at the API
server.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: check-proc-mount
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Changing the proc mount from the default is not allowed. The fields
spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
and spec.ephemeralContainers[*].securityContext.procMount must be unset or
set to `Default`.
pattern:
spec:
=(ephemeralContainers):
- =(securityContext):
=(procMount): "Default"
=(initContainers):
- =(securityContext):
=(procMount): "Default"
containers:
- =(securityContext):
=(procMount): "Default"
{{- end }}

95
charts/kyverno-policies/templates/baseline/disallow-selinux.yaml Normal file
View file

@ -0,0 +1,95 @@
{{- $name := "disallow-selinux" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow SELinux
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
SELinux options can be used to escalate privileges and should not be allowed. This policy
ensures that the `seLinuxOptions` field is undefined.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: selinux-type
match:
any:
- resources:
kinds:
- Pod
{{- with merge (index .Values "policyExclude" "selinux-type") (index .Values "policyExclude" $name) }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Setting the SELinux type is restricted. The fields
spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
, spec.initContainers[*].securityContext.seLinuxOptions, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.type
must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
pattern:
spec:
=(securityContext):
=(seLinuxOptions):
=(type): "container_t | container_init_t | container_kvm_t"
=(ephemeralContainers):
- =(securityContext):
=(seLinuxOptions):
=(type): "container_t | container_init_t | container_kvm_t"
=(initContainers):
- =(securityContext):
=(seLinuxOptions):
=(type): "container_t | container_init_t | container_kvm_t"
containers:
- =(securityContext):
=(seLinuxOptions):
=(type): "container_t | container_init_t | container_kvm_t"
- name: selinux-user-role
match:
any:
- resources:
kinds:
- Pod
{{- with merge (index .Values "policyExclude" "selinux-user-role") (index .Values "policyExclude" $name) }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Setting the SELinux user or role is forbidden. The fields
spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,
spec.containers[*].securityContext.seLinuxOptions.user, spec.containers[*].securityContext.seLinuxOptions.role,
spec.initContainers[*].securityContext.seLinuxOptions.user, spec.initContainers[*].securityContext.seLinuxOptions.role,
spec.ephemeralContainers[*].securityContext.seLinuxOptions.user, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role
must be unset.
pattern:
spec:
=(securityContext):
=(seLinuxOptions):
X(user): "null"
X(role): "null"
=(ephemeralContainers):
- =(securityContext):
=(seLinuxOptions):
X(user): "null"
X(role): "null"
=(initContainers):
- =(securityContext):
=(seLinuxOptions):
X(user): "null"
X(role): "null"
containers:
- =(securityContext):
=(seLinuxOptions):
X(user): "null"
X(role): "null"
{{- end }}

45
charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml Normal file
View file

@ -0,0 +1,45 @@
{{- $name := "restrict-apparmor-profiles" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Restrict AppArmor
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod, Annotation
policies.kyverno.io/minversion: 1.3.0
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
The default policy should prevent overriding or disabling the policy, or restrict
overrides to an allowed set of profiles. This policy ensures Pods do not
specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: app-armor
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Specifying other AppArmor profiles is disallowed. The annotation
`container.apparmor.security.beta.kubernetes.io` if defined
must not be set to anything other than `runtime/default` or `localhost/*`.
pattern:
=(metadata):
=(annotations):
=(container.apparmor.security.beta.kubernetes.io/*): "runtime/default | localhost/*"
{{- end }}

59
charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml Normal file
View file

@ -0,0 +1,59 @@
{{- $name := "restrict-seccomp" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Restrict Seccomp
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
The seccomp profile must not be explicitly set to Unconfined. This policy,
requiring Kubernetes v1.19 or later, ensures that seccomp is unset or
set to `RuntimeDefault` or `Localhost`.
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}
rules:
- name: check-seccomp
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Use of custom Seccomp profiles is disallowed. The fields
spec.securityContext.seccompProfile.type,
spec.containers[*].securityContext.seccompProfile.type,
spec.initContainers[*].securityContext.seccompProfile.type, and
spec.ephemeralContainers[*].securityContext.seccompProfile.type
must be unset or set to `RuntimeDefault` or `Localhost`.
pattern:
spec:
=(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
=(ephemeralContainers):
- =(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
=(initContainers):
- =(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
containers:
- =(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
{{- end }}

49
charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml Normal file
View file

@ -0,0 +1,49 @@
{{- $name := "restrict-sysctls" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Restrict sysctls
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
Sysctls can disable security mechanisms or affect all containers on a
host, and should be disallowed except for an allowed "safe" subset. A
sysctl is considered safe if it is namespaced in the container or the
Pod, and it is isolated from other Pods or processes on the same Node.
This policy ensures that only those "safe" subsets can be specified in
a Pod.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: check-sysctls
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Setting additional sysctls above the allowed type is disallowed.
The field spec.securityContext.sysctls must be unset or not use any other names
than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range,
net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and
net.ipv4.ping_group_range.
pattern:
spec:
=(securityContext):
=(sysctls):
- =(name): "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.ip_unprivileged_port_start | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range"
{{- end }}

41
charts/kyverno-policies/templates/default/disallow-adding-capabilities.yaml
View file

@ -1,41 +0,0 @@
{{- $name := "disallow-add-capabilities" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Capabilities permit privileged actions without giving full root access.
Adding capabilities beyond the default set must not be allowed.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: capabilities
match:
resources:
kinds:
- Pod
validate:
message: >-
Adding of additional capabilities beyond the default set is not allowed.
The fields spec.containers[*].securityContext.capabilities.add and
spec.initContainers[*].securityContext.capabilities.add must be empty.
pattern:
spec:
containers:
- =(securityContext):
=(capabilities):
X(add): null
=(initContainers):
- =(securityContext):
=(capabilities):
X(add): null
{{- end -}}

36
charts/kyverno-policies/templates/default/disallow-host-namespaces.yaml
View file

@ -1,36 +0,0 @@
{{- $name := "disallow-host-namespaces" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
network namespace) allow access to shared information and can be used to elevate
privileges. Pods should not be allowed access to host namespaces.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: host-namespaces
match:
resources:
kinds:
- Pod
validate:
message: >-
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
spec.hostIPC, and spec.hostPID must not be set to true.
pattern:
spec:
=(hostPID): "false"
=(hostIPC): "false"
=(hostNetwork): "false"
{{- end -}}

34
charts/kyverno-policies/templates/default/disallow-host-path.yaml
View file

@ -1,34 +0,0 @@
{{- $name := "disallow-host-path" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
HostPath volumes let pods use host directories and volumes in containers.
Using host resources can be used to access shared data or escalate privileges
and should not be allowed.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: host-path
match:
resources:
kinds:
- Pod
validate:
message: >-
HostPath volumes are forbidden. The fields spec.volumes[*].hostPath must not be set.
pattern:
spec:
=(volumes):
- X(hostPath): "null"
{{- end -}}

38
charts/kyverno-policies/templates/default/disallow-host-ports.yaml
View file

@ -1,38 +0,0 @@
{{- $name := "disallow-host-ports" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Access to host ports allows potential snooping of network traffic and should not be
allowed, or at minimum restricted to a known list.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: host-ports
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
and spec.initContainers[*].ports[*].hostPort must be empty.
pattern:
spec:
=(initContainers):
- =(ports):
- X(hostPort): 0
containers:
- =(ports):
- X(hostPort): 0
{{- end -}}

37
charts/kyverno-policies/templates/default/disallow-privileged-containers.yaml
View file

@ -1,37 +0,0 @@
{{- $name := "disallow-privileged-containers" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Privileged mode disables most security mechanisms and must not be allowed.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: priviledged-containers
match:
resources:
kinds:
- Pod
validate:
message: >-
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
and spec.initContainers[*].securityContext.privileged must not be set to true.
pattern:
spec:
=(initContainers):
- =(securityContext):
=(privileged): "false"
containers:
- =(securityContext):
=(privileged): "false"
{{- end -}}

39
charts/kyverno-policies/templates/default/disallow-proc-mount.yaml
View file

@ -1,39 +0,0 @@
{{- $name := "require-default-proc-mount" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
The default /proc masks are set up to reduce attack surface and should be required.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: check-proc-mount
match:
resources:
kinds:
- Pod
validate:
message: >-
Changing the proc mount from the default is not allowed. The fields
spec.containers[*].securityContext.procMount and
spec.initContainers[*].securityContext.procMount must not be changed
from `Default`.
pattern:
spec:
=(initContainers):
- =(securityContext):
=(procMount): "Default"
containers:
- =(securityContext):
=(procMount): "Default"
{{- end -}}

41
charts/kyverno-policies/templates/default/disallow-selinux.yaml
View file

@ -1,41 +0,0 @@
{{- $name := "disallow-selinux" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow SELinux
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
SELinux options can be used to escalate privileges and should not be allowed.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: seLinux
match:
resources:
kinds:
- Pod
validate:
message: >-
Setting custom SELinux options is disallowed. The fields
spec.securityContext.seLinuxOptions, spec.containers[*].securityContext.seLinuxOptions,
and spec.initContainers[*].securityContext.seLinuxOptions must be empty.
pattern:
spec:
=(securityContext):
X(seLinuxOptions): "null"
=(initContainers):
- =(securityContext):
X(seLinuxOptions): "null"
containers:
- =(securityContext):
X(seLinuxOptions): "null"
{{- end -}}

37
charts/kyverno-policies/templates/default/restrict-apparmor-profiles.yaml
View file

@ -1,37 +0,0 @@
{{- $name := "restrict-apparmor-profiles" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Restrict AppArmor
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
The default policy should prevent overriding or disabling the policy, or restrict
overrides to an allowed set of profiles.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: app-armor
match:
resources:
kinds:
- Pod
validate:
message: >-
Specifying other AppArmor profiles is disallowed. The annotation
container.apparmor.security.beta.kubernetes.io must not be defined,
or must not be set to anything other than `runtime/default`.
pattern:
metadata:
=(annotations):
=(container.apparmor.security.beta.kubernetes.io/*): "runtime/default"
{{- end -}}

40
charts/kyverno-policies/templates/default/restrict-sysctls.yaml
View file

@ -1,40 +0,0 @@
{{- $name := "restrict-sysctls" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Sysctls can disable security mechanisms or affect all containers on a
host, and should be disallowed except for an allowed "safe" subset. A
sysctl is considered safe if it is namespaced in the container or the
Pod, and it is isolated from other Pods or processes on the same Node.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: sysctls
match:
resources:
kinds:
- Pod
validate:
message: >-
Setting additional sysctls above the allowed type is disallowed.
The field spec.securityContext.sysctls must not use any other names
than 'kernel.shm_rmid_forced', 'net.ipv4.ip_local_port_range',
'net.ipv4.tcp_syncookies' and 'net.ipv4.ping_group_range'.
pattern:
spec:
=(securityContext):
=(sysctls):
- name: "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range"
value: "?*"
{{- end -}}

102
charts/kyverno-policies/templates/other/require-non-root-groups.yaml Normal file
View file

@ -0,0 +1,102 @@
{{- $name := "require-non-root-groups" }}
{{- if eq (include "kyverno-policies.podSecurityOther" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Sample
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/minversion: 1.3.6
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Containers should be forbidden from running with a root primary or supplementary GID.
This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number
greater than zero (i.e., non root). A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: check-runasgroup
match:
any:
- resources:
kinds:
- Pod
{{- with merge (index .Values "policyExclude" "check-runasgroup") (index .Values "policyExclude" $name) }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Running with root group IDs is disallowed. The fields
spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
spec.initContainers[*].securityContext.runAsGroup, and
spec.ephemeralContainers[*].securityContext.runAsGroup must be
set to a value greater than zero.
anyPattern:
- spec:
securityContext:
runAsGroup: ">0"
=(ephemeralContainers):
- =(securityContext):
=(runAsGroup): ">0"
=(initContainers):
- =(securityContext):
=(runAsGroup): ">0"
containers:
- =(securityContext):
=(runAsGroup): ">0"
- spec:
=(ephemeralContainers):
- securityContext:
runAsGroup: ">0"
=(initContainers):
- securityContext:
runAsGroup: ">0"
containers:
- securityContext:
runAsGroup: ">0"
- name: check-supplementalgroups
match:
any:
- resources:
kinds:
- Pod
{{- with merge (index .Values "policyExclude" "check-supplementalgroups") (index .Values "policyExclude" $name) }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Containers cannot run with a root primary or supplementary GID. The field
spec.securityContext.supplementalGroups must be unset or
set to a value greater than zero.
pattern:
spec:
=(securityContext):
=(supplementalGroups): ">0"
- name: check-fsgroup
match:
any:
- resources:
kinds:
- Pod
{{- with merge (index .Values "policyExclude" "check-fsgroup") (index .Values "policyExclude" $name) }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Containers cannot run with a root primary or supplementary GID. The field
spec.securityContext.fsGroup must be unset or set to a value greater than zero.
pattern:
spec:
=(securityContext):
=(fsGroup): ">0"
{{- end }}

39
charts/kyverno-policies/templates/restricted/deny-privilege-escalation.yaml
View file

@ -1,39 +0,0 @@
{{- $name := "deny-privilege-escalation" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}
rules:
- name: deny-privilege-escalation
match:
resources:
kinds:
- Pod
validate:
message: >-
Privilege escalation is disallowed. The fields
spec.containers[*].securityContext.allowPrivilegeEscalation, and
spec.initContainers[*].securityContext.allowPrivilegeEscalation must
be undefined or set to `false`.
pattern:
spec:
=(initContainers):
- =(securityContext):
=(allowPrivilegeEscalation): "false"
containers:
- =(securityContext):
=(allowPrivilegeEscalation): "false"
{{- end -}}

79
charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml Normal file
View file

@ -0,0 +1,79 @@
{{- $name := "disallow-capabilities-strict" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
{{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow Capabilities (Strict)
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
all containers must explicitly drop `ALL` capabilities.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: require-drop-all
match:
any:
- resources:
kinds:
- Pod
{{- with merge (index .Values "policyExclude" "require-drop-all") (index .Values "policyExclude" $name) }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
preconditions:
all:
- key: "{{`{{ request.operation }}`}}"
operator: NotEquals
value: DELETE
validate:
message: >-
Containers must drop `ALL` capabilities.
foreach:
- list: request.object.spec.[ephemeralContainers, initContainers, containers][]
deny:
conditions:
all:
- key: ALL
operator: AnyNotIn
value: "{{`{{ element.securityContext.capabilities.drop || '' }}`}}"
- name: adding-capabilities-strict
match:
any:
- resources:
kinds:
- Pod
{{- with merge (index .Values "policyExclude" "adding-capabilities-strict") (index .Values "policyExclude" $name) }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
preconditions:
all:
- key: "{{`{{ request.operation }}`}}"
operator: NotEquals
value: DELETE
validate:
message: >-
Any capabilities added other than NET_BIND_SERVICE are disallowed.
foreach:
- list: request.object.spec.[ephemeralContainers, initContainers, containers][]
deny:
conditions:
all:
- key: "{{`{{ element.securityContext.capabilities.add[] || '' }}`}}"
operator: AnyNotIn
value:
- NET_BIND_SERVICE
- ''
{{- end }}

51
charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml Normal file
View file

@ -0,0 +1,51 @@
{{- $name := "disallow-privilege-escalation" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow Privilege Escalation
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: privilege-escalation
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Privilege escalation is disallowed. The fields
spec.containers[*].securityContext.allowPrivilegeEscalation,
spec.initContainers[*].securityContext.allowPrivilegeEscalation,
and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation
must be set to `false`.
pattern:
spec:
=(ephemeralContainers):
- securityContext:
allowPrivilegeEscalation: "false"
=(initContainers):
- securityContext:
allowPrivilegeEscalation: "false"
containers:
- securityContext:
allowPrivilegeEscalation: "false"
{{- end }}

67
charts/kyverno-policies/templates/restricted/require-non-root-groups.yaml
View file

@ -1,67 +0,0 @@
{{- $name := "require-non-root-groups" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Containers should be forbidden from running with a root primary or supplementary GID.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}
rules:
- name: check-runasgroup
match:
resources:
kinds:
- Pod
validate:
message: >-
Running with root group IDs is disallowed. The fields
spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
and spec.initContainers[*].securityContext.runAsGroup must be empty
or greater than zero.
pattern:
spec:
=(securityContext):
=(runAsGroup): ">0"
=(initContainers):
- =(securityContext):
=(runAsGroup): ">0"
containers:
- =(securityContext):
=(runAsGroup): ">0"
- name: check-supplementalGroups
match:
resources:
kinds:
- Pod
validate:
message: >-
Adding of supplemental group IDs is not allowed. The field
spec.securityContext.supplementalGroups must not be defined.
pattern:
spec:
=(securityContext):
=(supplementalGroups): ">0"
- name: check-fsGroup
match:
resources:
kinds:
- Pod
validate:
message: >-
Changing to root group ID is disallowed. The field
spec.securityContext.fsGroup must be empty or greater than zero.
pattern:
spec:
=(securityContext):
=(fsGroup): ">0"
{{- end -}}

52
charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml Normal file
View file

@ -0,0 +1,52 @@
{{- $name := "require-run-as-non-root-user" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Require Run As Non-Root User
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
Containers must be required to run as non-root users. This policy ensures
`runAsUser` is either unset or set to a number greater than zero.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: run-as-non-root-user
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Running as root is not allowed. The fields spec.securityContext.runAsUser,
spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser,
and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or
set to a number greater than zero.
pattern:
spec:
=(securityContext):
=(runAsUser): ">0"
=(ephemeralContainers):
- =(securityContext):
=(runAsUser): ">0"
=(initContainers):
- =(securityContext):
=(runAsUser): ">0"
containers:
- =(securityContext):
=(runAsUser): ">0"
{{- end }}

81
charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
View file

@ -1,46 +1,63 @@
{{- $name := "require-run-as-non-root" }}
{{- $name := "require-run-as-nonroot" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Require runAsNonRoot
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: Containers must be required to run as non-root users.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
Containers must be required to run as non-root users. This policy ensures
`runAsNonRoot` is set to `true`. A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: check-containers
match:
resources:
kinds:
- Pod
validate:
message: >-
Running as root is not allowed. The fields spec.securityContext.runAsNonRoot,
spec.containers[*].securityContext.runAsNonRoot, and
spec.initContainers[*].securityContext.runAsNonRoot must be `true`.
anyPattern:
- spec:
securityContext:
runAsNonRoot: true
containers:
- =(securityContext):
=(runAsNonRoot): true
=(initContainers):
- =(securityContext):
=(runAsNonRoot): true
- spec:
containers:
- securityContext:
- name: run-as-non-root
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot
must be set to `true`.
anyPattern:
- spec:
securityContext:
runAsNonRoot: true
=(initContainers):
- securityContext:
runAsNonRoot: true
{{- end -}}
=(ephemeralContainers):
- =(securityContext):
=(runAsNonRoot): true
=(initContainers):
- =(securityContext):
=(runAsNonRoot): true
containers:
- =(securityContext):
=(runAsNonRoot): true
- spec:
=(ephemeralContainers):
- securityContext:
runAsNonRoot: true
=(initContainers):
- securityContext:
runAsNonRoot: true
containers:
- securityContext:
runAsNonRoot: true
{{- end }}

74
charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml Normal file
View file

@ -0,0 +1,74 @@
{{- $name := "restrict-seccomp-strict" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Restrict Seccomp (Strict)
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
The seccomp profile in the Restricted group must not be explicitly set to Unconfined
but additionally must also not allow an unset value. This policy,
requiring Kubernetes v1.19 or later, ensures that seccomp is
set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}
rules:
- name: check-seccomp-strict
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Use of custom Seccomp profiles is disallowed. The fields
spec.securityContext.seccompProfile.type,
spec.containers[*].securityContext.seccompProfile.type,
spec.initContainers[*].securityContext.seccompProfile.type, and
spec.ephemeralContainers[*].securityContext.seccompProfile.type
must be set to `RuntimeDefault` or `Localhost`.
anyPattern:
- spec:
securityContext:
seccompProfile:
type: "RuntimeDefault | Localhost"
=(ephemeralContainers):
- =(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
=(initContainers):
- =(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
containers:
- =(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
- spec:
=(ephemeralContainers):
- securityContext:
seccompProfile:
type: "RuntimeDefault | Localhost"
=(initContainers):
- securityContext:
seccompProfile:
type: "RuntimeDefault | Localhost"
containers:
- securityContext:
seccompProfile:
type: "RuntimeDefault | Localhost"
{{- end }}

47
charts/kyverno-policies/templates/restricted/restrict-seccomp.yaml
View file

@ -1,47 +0,0 @@
{{- $name := "restrict-seccomp" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Restrict Seccomp
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
The runtime default seccomp profile must be required, or only specific
additional profiles should be allowed.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}
rules:
- name: seccomp
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of custom Seccomp profiles is disallowed. The fields
spec.securityContext.seccompProfile.type,
spec.containers[*].securityContext.seccompProfile.type, and
spec.initContainers[*].securityContext.seccompProfile.type
must be unset or set to `runtime/default`.
pattern:
spec:
=(securityContext):
=(seccompProfile):
=(type): "runtime/default"
=(initContainers):
- =(securityContext):
=(seccompProfile):
=(type): "runtime/default"
containers:
- =(securityContext):
=(seccompProfile):
=(type): "runtime/default"
{{- end -}}

303
charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
View file

@ -1,281 +1,56 @@
{{- $name := "restrict-volume-types" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
{{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Restrict Volume Types
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/subject: Pod,Volume
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/description: >-
In addition to restricting HostPath volumes, the restricted pod security profile
limits usage of non-core volume types to those defined through PersistentVolumes.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
app: kyverno
This policy blocks any other type of volume other than those in the allow list.
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: restricted-vol-gcePersistentDisk
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the gcePersistentDisk type volume is disallowed.
The fields spec.volumes[*].gcePersistentDisk must not be set.
pattern:
spec:
=(volumes):
- X(gcePersistentDisk): "null"
- name: restricted-vol-awsElasticBlockStore
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the awsElasticBlockStore type volume is disallowed.
The fields spec.volumes[*].awsElasticBlockStore must not be set.
pattern:
spec:
=(volumes):
- X(awsElasticBlockStore): "null"
- name: restricted-vol-gitRepo
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the gitRepo type volume is disallowed.
The fields spec.volumes[*].gitRepo must not be set.
pattern:
spec:
=(volumes):
- X(gitRepo): "null"
- name: restricted-vol-nfs
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the nfs type volume is disallowed.
The fields spec.volumes[*].nfs must not be set.
pattern:
spec:
=(volumes):
- X(nfs): "null"
- name: restricted-vol-iscsi
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the iscsi type volume is disallowed.
The fields spec.volumes[*].iscsi must not be set.
pattern:
spec:
=(volumes):
- X(iscsi): "null"
- name: restricted-vol-glusterfs
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the glusterfs type volume is disallowed.
The fields spec.volumes[*].glusterfs must not be set.
pattern:
spec:
=(volumes):
- X(glusterfs): "null"
- name: restricted-vol-rbd
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the rbd type volume is disallowed.
The fields spec.volumes[*].rbd must not be set.
pattern:
spec:
=(volumes):
- X(rbd): "null"
- name: restricted-vol-flexVolume
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the flexVolume type volume is disallowed.
The fields spec.volumes[*].flexVolume must not be set.
pattern:
spec:
=(volumes):
- X(flexVolume): "null"
- name: restricted-vol-cinder
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the cinder type volume is disallowed.
The fields spec.volumes[*].cinder must not be set.
pattern:
spec:
=(volumes):
- X(cinder): "null"
- name: restricted-vol-cephfs
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the cephfs type volume is disallowed.
The fields spec.volumes[*].cephfs must not be set.
pattern:
spec:
=(volumes):
- X(cephfs): "null"
- name: restricted-vol-flocker
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the flocker type volume is disallowed.
The fields spec.volumes[*].flocker must not be set.
pattern:
spec:
=(volumes):
- X(flocker): "null"
- name: restricted-vol-fc
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the fc type volume is disallowed.
The fields spec.volumes[*].fc must not be set.
pattern:
spec:
=(volumes):
- X(fc): "null"
- name: restricted-vol-azureFile
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the azureFile type volume is disallowed.
The fields spec.volumes[*].azureFile must not be set.
pattern:
spec:
=(volumes):
- X(azureFile): "null"
- name: restricted-vol-vsphereVolume
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the vsphereVolume type volume is disallowed.
The fields spec.volumes[*].vsphereVolume must not be set.
pattern:
spec:
=(volumes):
- X(vsphereVolume): "null"
- name: restricted-vol-quobyte
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the quobyte type volume is disallowed.
The fields spec.volumes[*].quobyte must not be set.
pattern:
spec:
=(volumes):
- X(quobyte): "null"
- name: restricted-vol-azureDisk
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the azureDisk type volume is disallowed.
The fields spec.volumes[*].azureDisk must not be set.
pattern:
spec:
=(volumes):
- X(azureDisk): "null"
- name: restricted-vol-portworxVolume
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the portworxVolume type volume is disallowed.
The fields spec.volumes[*].portworxVolume must not be set.
pattern:
spec:
=(volumes):
- X(portworxVolume): "null"
- name: restricted-vol-scaleIO
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the scaleIO type volume is disallowed.
The fields spec.volumes[*].scaleIO must not be set.
pattern:
spec:
=(volumes):
- X(scaleIO): "null"
- name: restricted-vol-storageos
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the storageos type volume is disallowed.
The fields spec.volumes[*].storageos must not be set.
pattern:
spec:
=(volumes):
- X(storageos): "null"
- name: restricted-vol-csi
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the csi type volume is disallowed.
The fields spec.volumes[*].csi must not be set.
pattern:
spec:
=(volumes):
- X(csi): "null"
{{- end -}}
- name: restricted-volumes
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Only the following types of volumes may be used: configMap, csi, downwardAPI,
emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.
deny:
conditions:
all:
- key: "{{`{{ request.object.spec.volumes[].keys(@)[] || '' }}`}}"
operator: AnyNotIn
value:
- name
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
- ''
{{- end }}

26
charts/kyverno-policies/values.yaml
View file

@ -5,9 +5,35 @@ podSecurityStandard: baseline
podSecuritySeverity: medium
# Policies to include when podSecurityStandard is custom
podSecurityPolicies: []
# Additional policies to include from "other"
# Example:
# includeOtherPolicies:
# - require-non-root-groups
includeOtherPolicies: []
# Supported values- `audit`, `enforce`
# For more info- https://kyverno.io/docs/writing-policies/validate/
validationFailureAction: audit
# Exclude resources from individual policies
# Eg:
# policyExclude:
# disallow-host-path:
# any:
# - resources:
# kinds:
# - Pod
# namespaces:
# - fluent
#
# Policies with multiple rules can have individual rules excluded:
# policyExclude:
# adding-capabilities-strict:
# any:
# - resources:
# kinds:
# - Pod
# namespaces:
# - kube-system
policyExclude: {}
nameOverride:
# -- Additional labels

2
charts/kyverno/Chart.yaml
View file

@ -17,4 +17,4 @@ maintainers:
- name: Nirmata
url: https://kyverno.io/
engine: gotpl
kubeVersion: ">=1.10.0-0"
kubeVersion: ">=1.16.0-0"

0
charts/kyverno/ci/test-networkpolicy.yaml → charts/kyverno/ci/networkpolicy-values.yaml
View file

2
charts/kyverno/templates/networkpolicy.yaml
View file

@ -50,6 +50,6 @@ spec:
port: {{ .Values.metricsService.port }}
{{- end }}
{{- else }}
ingress: {}
ingress: []
{{- end }}
{{- end }}