mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 10:28:36 +00:00
initial clean up
This commit is contained in:
shivkumar dudhani
parent
4abdec337d
commit
530ac6962c
144 changed files with 291 additions and 1101 deletions
|
|
@ -1,27 +0,0 @@
|
|||
# Best Practice Policies
|
||||
|
||||
| Best practice | Policy | scenario|
|
||||
|------------------------------------------------|------------------------------------|---------------------|
|
||||
| Run as non-root user | [policy_validate_deny_runasrootuser.yaml](policy_validate_deny_runasrootuser.yaml) | best_practices |
|
||||
| Disallow automount api credentials | []() | best_practices |
|
||||
| Disallow privileged and privilege escalation | [policy_validate_container_disallow_priviledgedprivelegesecalation.yaml](policy_validate_container_disallow_priviledgedprivelegesecalation.yaml) | best_practices |
|
||||
| Disallow use of host networking and ports | [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml) | best_practices |
|
||||
| Disallow use of host filesystem | [policy_validate_host_path.yaml](policy_validate_host_path.yaml) |
|
||||
| Disallow hostPID and hostIPC | [policy_validate_hostpid_hosipc.yaml](policy_validate_hostpid_hosipc.yaml) | best_practices |
|
||||
| Require read only root filesystem | [policy_validate_not_readonly_rootfilesystem.yaml](policy_validate_not_readonly_rootfilesystem.yaml) | best_practices |
|
||||
| Disallow node ports | [policy_validate_disallow_node_port.yaml](policy_validate_disallow_node_port.yaml) | best_practices |
|
||||
| Allow trusted registries | [policy_validate_whitelist_image_registries.yaml](policy_validate_whitelist_image_registries.yaml) | best_practices |
|
||||
| Require resource requests and limits | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml) | best_practices |
|
||||
| Require pod liveness and readiness probes | [policy_validate_pod_probes.yaml](policy_validate_pod_probes.yaml) | best_practices |
|
||||
| Require an image tag | [policy_validate_image_tag_notspecified_deny.yaml](policy_validate_image_tag_notspecified_deny.yaml) | best_practices |
|
||||
| Disallow latest tag and pull IfNotPresent | [policy_validate_image_latest_ifnotpresent_deny.yaml](policy_validate_image_latest_ifnotpresent_deny.yaml) |
|
||||
| Require a namespace (disallow default) | [policy_validate_default_namespace.yaml](policy_validate_default_namespace.yaml) | best_practices |
|
||||
| Prevent mounting of default service account | [policy_validate_disallow_default_serviceaccount.yaml](policy_validate_disallow_default_serviceaccount.yaml) |
|
||||
| Require a default network policy | [policy_validate_default_network_policy.yaml](policy_validate_default_network_policy.yaml) | best_practices |
|
||||
| Require namespace quotas and limit ranges | [policy_validate_namespace_quota.yaml](policy_validate_namespace_quota.yaml) | best_practices |
|
||||
| Allow an FSGroup that owns the pod's volumes | [policy_validate_fsgroup.yaml](policy_validate_fsgroup.yaml) |
|
||||
| Require SELinux level of the container | [policy_validate_selinux_context.yaml](policy_validate_selinux_context.yaml) |
|
||||
| Allow default Proc Mount type | [policy_validate_default_proc_mount.yaml](policy_validate_default_proc_mount.yaml) |
|
||||
| Allow certain capability to be added | [policy_validate_container_capabilities.yaml](policy_validate_container_capabilities.yaml) |
|
||||
| Allow local tcp/udp port range | [policy_validate_sysctl_configs.yaml](policy_validate_sysctl_configs.yaml) |
|
||||
| Allowed volume plugins | [policy_validate_volume_whitelist.yaml](policy_validate_volume_whitelist.yaml) |
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-deny-privileged-disallowpriviligedescalation
|
||||
spec:
|
||||
validationFailureAction: "audit"
|
||||
rules:
|
||||
- name: deny-privileged-disallowpriviligedescalation
|
||||
exclude:
|
||||
resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
|
||||
anyPattern:
|
||||
- spec:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
privileged: false
|
||||
- spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
privileged: false
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-namespace
|
||||
spec:
|
||||
rules:
|
||||
- name: check-default-namespace
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "A none 'default' namespace is required"
|
||||
pattern:
|
||||
metadata:
|
||||
namespace: "!default"
|
||||
- name: check-namespace-exist
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "A namespace is required"
|
||||
pattern:
|
||||
metadata:
|
||||
namespace: "?*"
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: defaultgeneratenetworkpolicy
|
||||
spec:
|
||||
rules:
|
||||
- name: "default-networkpolicy"
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
name: "devtest"
|
||||
generate:
|
||||
kind: NetworkPolicy
|
||||
name: defaultnetworkpolicy
|
||||
data:
|
||||
spec:
|
||||
# select all pods in the namespace
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
# allow all ingress traffic from pods within this namespace
|
||||
ingress:
|
||||
- {}
|
||||
# allow all egress traffic
|
||||
egress:
|
||||
- {}
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-deny-runasrootuser
|
||||
spec:
|
||||
validationFailureAction: "audit"
|
||||
rules:
|
||||
- name: deny-runasrootuser
|
||||
exclude:
|
||||
resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "Root user is not allowed. Set runAsNonRoot to true."
|
||||
anyPattern:
|
||||
- spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
- spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-node-port
|
||||
spec:
|
||||
rules:
|
||||
- name: disallow-node-port
|
||||
exclude:
|
||||
resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Service
|
||||
validate:
|
||||
message: "Disallow service of type NodePort"
|
||||
pattern:
|
||||
spec:
|
||||
type: "!NodePort"
|
||||
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-host-network-hostport
|
||||
spec:
|
||||
rules:
|
||||
- name: validate-host-network-hostport
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "hostNetwork and hostPort are not allowed"
|
||||
pattern:
|
||||
spec:
|
||||
hostNetwork: false
|
||||
containers:
|
||||
- name: "*"
|
||||
ports:
|
||||
- hostPort: null
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-hostpid-hostipc
|
||||
spec:
|
||||
rules:
|
||||
- name: validate-hostpid-hostipc
|
||||
exclude:
|
||||
resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "Disallow use of host's pid namespace and host's ipc namespace"
|
||||
pattern:
|
||||
spec:
|
||||
(hostPID): "!true"
|
||||
hostIPC: false
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-image
|
||||
spec:
|
||||
rules:
|
||||
- name: validate-tag
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "imagePullPolicy 'IfNotPresent' forbidden with image tag 'latest'"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- (image): "*:latest"
|
||||
imagePullPolicy: "!IfNotPresent"
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-image
|
||||
spec:
|
||||
rules:
|
||||
- name: validate-tag
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "An image tag is required"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- image: "*:*"
|
||||
- name: validate-latest
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "imagePullPolicy 'Always' required with tag 'latest'"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- (image): "*latest"
|
||||
imagePullPolicy: Always
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-image-tag-notlatest
|
||||
spec:
|
||||
rules:
|
||||
- name: image-tag-notlatest
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "image tag 'latest' forbidden"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- image: "!*:latest"
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-image-tag-notspecified
|
||||
spec:
|
||||
rules:
|
||||
- name: image-tag-notspecified
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "image tag not specified"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- image: "*:*"
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-namespace-quota
|
||||
spec:
|
||||
rules:
|
||||
- name: validate-namespace-quota
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
generate:
|
||||
kind: ResourceQuota
|
||||
name: "defaultresourcequota"
|
||||
spec:
|
||||
hard:
|
||||
requests.cpu: "*"
|
||||
requests.memory: "*"
|
||||
limits.cpu: "*"
|
||||
limits.memory: "*"
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-not-readonly-rootfilesystem
|
||||
spec:
|
||||
rules:
|
||||
- name: validate-not-readonly-rootfilesystem
|
||||
exclude:
|
||||
resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "Container should not have read-only rootfilesystem"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- securityContext:
|
||||
readOnlyRootFilesystem: false
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-probes
|
||||
spec:
|
||||
validationFailureAction: "audit"
|
||||
rules:
|
||||
- name: check-probes
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
# exclude:
|
||||
# namespaces:
|
||||
# - kube-system
|
||||
validate:
|
||||
message: "Liveness and readiness probes are required"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
livenessProbe:
|
||||
periodSeconds: ">0"
|
||||
readinessProbe:
|
||||
periodSeconds: ">0"
|
||||
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-image-registry
|
||||
spec:
|
||||
rules:
|
||||
- name: validate-image-registry
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "White list of image registries"
|
||||
anyPattern:
|
||||
- spec:
|
||||
containers:
|
||||
- image: "https://private.registry.io/*"
|
||||
- spec:
|
||||
containers:
|
||||
- image: "*nirmata*"
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: nginx
|
||||
labels:
|
||||
app: "nirmata-nginx"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: nginx
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:latest
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-resources
|
||||
spec:
|
||||
# validationFailureAction: "audit"
|
||||
rules:
|
||||
- name: check-pod-resources
|
||||
message: "CPU and memory resource requests and limits are required"
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: myapp-pod
|
||||
validate:
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
resources:
|
||||
requests:
|
||||
memory: "?*"
|
||||
cpu: "?*"
|
||||
limits:
|
||||
memory: "?*"
|
||||
cpu: "?*"
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: image-with-hostpath
|
||||
labels:
|
||||
app.type: prod
|
||||
namespace: "my-namespace"
|
||||
spec:
|
||||
containers:
|
||||
- name: image-with-hostpath
|
||||
image: docker.io/nautiker/curl
|
||||
volumeMounts:
|
||||
- name: var-lib-etcd
|
||||
mountPath: /var/lib
|
||||
volumes:
|
||||
- name: var-lib-etcd
|
||||
hostPath:
|
||||
path: /var/lib
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:1.12
|
||||
imagePullPolicy: IfNotPresent
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:latest
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:latest
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
kind: Namespace
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: "test-namespace-quota"
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: sec-ctx-unprivileged
|
||||
spec:
|
||||
# securityContext:
|
||||
# runAsNonRoot: true
|
||||
containers:
|
||||
- name: imagen-with-hostpath
|
||||
image: nginxinc/nginx-unprivileged
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: nirmata-nginx
|
||||
spec:
|
||||
containers:
|
||||
- name: nirmata-nginx
|
||||
image: nirmata/nginx
|
||||
|
|
@ -30,10 +30,6 @@ func Test_validate_healthChecks(t *testing.T) {
|
|||
testScenario(t, "/test/scenarios/test/scenario_validate_healthChecks.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_imageRegistries(t *testing.T) {
|
||||
testScenario(t, "/test/scenarios/test/scenario_validate_imageRegistries.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_nonRootUsers(t *testing.T) {
|
||||
testScenario(t, "/test/scenarios/test/scenario_validate_nonRootUser.yaml")
|
||||
}
|
||||
|
|
@ -43,14 +39,6 @@ func Test_generate_networkPolicy(t *testing.T) {
|
|||
}
|
||||
|
||||
// namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver
|
||||
func Test_validate_image_latest_ifnotpresent_deny(t *testing.T) {
|
||||
testScenario(t, "/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml")
|
||||
|
||||
}
|
||||
|
||||
func Test_validate_image_latest_ifnotpresent_pass(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_image_pullpolicy_notalways_deny(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml")
|
||||
|
|
@ -80,10 +68,6 @@ func Test_validate_disallow_default_namespace(t *testing.T) {
|
|||
testScenario(t, "test/scenarios/test/scenario_validate_disallow_default_namespace.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_host_path(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/test/scenario_validate_host_path.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_host_network_port(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_network_hostport.yaml")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,27 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: check-cpu-memory
|
||||
spec:
|
||||
rules:
|
||||
- name: check-pod-resources
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "CPU and memory resource requests and limits are required"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
# 'name: *' selects all containers in the pod
|
||||
- name: "*"
|
||||
resources:
|
||||
limits:
|
||||
# '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters.
|
||||
# Using them together e.g. '?*' requires at least one character.
|
||||
memory: "?*"
|
||||
cpu: "?*"
|
||||
requests:
|
||||
memory: "?*"
|
||||
cpu: "?*"
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: PolicyViolation
|
||||
metadata:
|
||||
name: pv1
|
||||
spec:
|
||||
policy: check-cpu-memory
|
||||
resource:
|
||||
kind: Pod
|
||||
namespace: ""
|
||||
name: pod1
|
||||
rules:
|
||||
- name: r1
|
||||
type: Mutation
|
||||
status: Failed
|
||||
message: test mesaage for rule failure
|
||||
---
|
||||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: PolicyViolation
|
||||
metadata:
|
||||
name: pv2
|
||||
spec:
|
||||
policy: check-cpu-memory
|
||||
resource:
|
||||
kind: Pod
|
||||
namespace: ""
|
||||
name: pod1
|
||||
rules:
|
||||
- name: r1
|
||||
type: Mutation
|
||||
status: Failed
|
||||
message: test mesaage for rule failure
|
||||
---
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: nginx-deployment
|
||||
labels:
|
||||
app: nginx
|
||||
cli: test
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: nginx
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nirmata/nginx:green
|
||||
# imagePullPolicy: Always
|
||||
ports:
|
||||
- containerPort: 80
|
||||
- name: nginx1
|
||||
image: launcher.gcr.io/google/nginx1
|
||||
|
|
@ -1,86 +0,0 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name : policy-deployment
|
||||
spec :
|
||||
rules:
|
||||
- name: add-label
|
||||
match:
|
||||
resources:
|
||||
kinds :
|
||||
- Deployment
|
||||
selector :
|
||||
matchLabels :
|
||||
cli: test
|
||||
mutate:
|
||||
patches:
|
||||
- path: /metadata/labels/isMutated
|
||||
op: add
|
||||
value: "true"
|
||||
overlay:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
# if the image nginx, set the imagePullPolicy to Always
|
||||
- (image): "*nginx*"
|
||||
imagePullPolicy: "Always"
|
||||
- name: add-label2
|
||||
match:
|
||||
resources:
|
||||
kinds :
|
||||
- Deployment
|
||||
selector :
|
||||
matchLabels :
|
||||
cli: test
|
||||
mutate:
|
||||
patches:
|
||||
- path: /metadata/labels/app1
|
||||
op: replace
|
||||
value: "nginx_is_mutated"
|
||||
- name: add-label3
|
||||
match:
|
||||
resources:
|
||||
kinds :
|
||||
- Deployment
|
||||
selector :
|
||||
matchLabels :
|
||||
cli: test
|
||||
mutate:
|
||||
patches:
|
||||
- path: /metadata/labels/app2
|
||||
op: add
|
||||
value: "nginx_is_mutated2"
|
||||
- name: check-image
|
||||
match:
|
||||
resources:
|
||||
kinds :
|
||||
- Deployment
|
||||
selector :
|
||||
matchLabels :
|
||||
cli: test
|
||||
validate:
|
||||
message: "The imagePullPolicy must be Always when using image nginx"
|
||||
pattern:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- (image): "*nginx*"
|
||||
imagePullPolicy: "Always"
|
||||
- name: check-registries
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
- StatefulSet
|
||||
validate:
|
||||
message: "Registry is not allowed"
|
||||
pattern:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
# Check allowed registries
|
||||
image: "*nirmata/* | launcher.gcr.io/*"
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/cli/policy_deployment.yaml
|
||||
resource: examples/cli/nginx.yaml
|
||||
policy: test/scenarios/cli/policy_deployment.yaml
|
||||
resource: test/scenarios/cli/nginx.yaml
|
||||
expected:
|
||||
passes: true
|
||||
mutation:
|
||||
|
|
@ -19,8 +19,8 @@ expected:
|
|||
- "Rule check-image: Validation succesfully."
|
||||
---
|
||||
input:
|
||||
policy: examples/cli/policy_deployment.yaml
|
||||
resource: examples/cli/ghost.yaml
|
||||
policy: test/scenarios/cli/policy_deployment.yaml
|
||||
resource: test/scenarios/cli/ghost.yaml
|
||||
expected:
|
||||
passes: true
|
||||
mutation:
|
||||
|
|
|
|||
|
|
@ -1,28 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: defaultgeneratenetworkpolicy
|
||||
spec:
|
||||
rules:
|
||||
- name: "default-networkpolicy"
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
name: "devtest"
|
||||
generate:
|
||||
kind: NetworkPolicy
|
||||
name: defaultnetworkpolicy
|
||||
data:
|
||||
spec:
|
||||
# select all pods in the namespace
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
# allow all ingress traffic from pods within this namespace
|
||||
ingress:
|
||||
- {}
|
||||
# allow all egress traffic
|
||||
egress:
|
||||
- {}
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-container-security-context
|
||||
spec:
|
||||
# validationFailureAction: "audit"
|
||||
rules:
|
||||
- name: check-root-user
|
||||
exclude:
|
||||
resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "Root user is not allowed. Set runAsNonRoot to true."
|
||||
anyPattern:
|
||||
- spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
- spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: lb1
|
||||
namespace: test
|
||||
spec:
|
||||
selector:
|
||||
app: app
|
||||
ports:
|
||||
- port: 8765 # random
|
||||
targetPort: 9376 # random
|
||||
type: LoadBalancer
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: lb2
|
||||
namespace: test
|
||||
spec:
|
||||
selector:
|
||||
app: app
|
||||
ports:
|
||||
- port: 8765 # random
|
||||
targetPort: 9376 # random
|
||||
type: LoadBalancer
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
kind: Namespace
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: "test"
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: check-privileged-cfg
|
||||
spec:
|
||||
containers:
|
||||
- name: check-privileged-cfg
|
||||
image: nginxinc/nginx-unprivileged
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
privileged: false
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/cli/policy_deployment.yaml
|
||||
resource: examples/cli/nginx.yaml
|
||||
expected:
|
||||
mutation:
|
||||
patchedresource: test/output/nginx.yaml
|
||||
policyresponse:
|
||||
policy: policy-deployment
|
||||
resource:
|
||||
kind: Deployment
|
||||
apiVersion: 'apps/v1'
|
||||
namespace: ''
|
||||
name: nginx-deployment
|
||||
rules:
|
||||
- name: add-label
|
||||
type: Mutation
|
||||
success: true
|
||||
message: succesfully process JSON patches
|
||||
# patches: `[{"path":"/metadata/labels/isMutated","op":"add","value":"true"},
|
||||
# {"path":"/metadata/labels/app","op":"replace","value":"nginx_is_mutated"}]`
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/require_default_network_policy.yaml
|
||||
resource: test/manifest/require_default_network_policy.yaml
|
||||
resource: test/scenarios/resources/require_default_network_policy.yaml
|
||||
expected:
|
||||
generation:
|
||||
generatedResources:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: test/scenarios/policy_mutate_endpoint.yaml
|
||||
policy: test/scenarios/mutate/policy_mutate_endpoint.yaml
|
||||
resource: test/scenarios/resources/resource_mutate_endpoint.yaml
|
||||
expected:
|
||||
mutation:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: test/scenarios/policy_mutate_imagePullPolicy.yaml
|
||||
policy: test/scenarios/mutate/policy_mutate_imagePullPolicy.yaml
|
||||
resource: test/scenarios/resources/resource_mutate_imagePullPolicy.yaml
|
||||
expected:
|
||||
mutation:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml
|
||||
resource: examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml
|
||||
policy: test/scenarios/mutate/policy_mutate_pod_disable_automountingapicred.yaml
|
||||
resource: test/scenarios/mutate/resource_mutate_pod_disable_automountingapicred.yaml
|
||||
expected:
|
||||
mutation:
|
||||
patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: test/scenarios/policy_mutate_validate_qos.yaml
|
||||
policy: test/scenarios/mutate/policy_mutate_validate_qos.yaml
|
||||
resource: test/scenarios/resources/resource_mutate_validate_qos.yaml
|
||||
expected:
|
||||
mutation:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/require_image_tag_not_latest.yaml
|
||||
resource: test/manifest/require_image_tag_not_latest_deny.yaml
|
||||
resource: test/scenarios/resources/require_image_tag_not_latest_deny.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/require_image_tag_not_latest.yaml
|
||||
resource: test/manifest/require_image_tag_not_latest_notag.yaml
|
||||
resource: test/scenarios/resources/require_image_tag_not_latest_notag.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/require_image_tag_not_latest.yaml
|
||||
resource: examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml
|
||||
resource: test/scenarios/resources/resource_validate_image_tag_latest_pass.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: test/scenarios/policy_validate_containerSecurityContext.yaml
|
||||
policy: test/scenarios/validate/policy_validate_containerSecurityContext.yaml
|
||||
resource: test/scenarios/resources/resource_validate_containerSecurityContext.yaml
|
||||
expected:
|
||||
validation:
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/additional/policy_validate_container_capabilities.yaml
|
||||
resource: examples/best_practices/resources/resource_validate_container_capabilities.yaml
|
||||
resource: test/scenarios/resources/resource_validate_container_capabilities.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml
|
||||
resource: examples/best_practices/resources/resource_validate_container_disallow_priviledgedprivelegesecalation.yaml
|
||||
policy: samples/best_practices/disallow_priviledged_priviligedescalation.yaml
|
||||
resource: test/scenarios/resources/resource_validate_container_disallow_priviledgedprivelegesecalation.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_validate_default_namespace.yaml
|
||||
resource: examples/best_practices/resources/resource_default_namespace.yaml
|
||||
policy: samples/best_practices/disallow_default_namespace.yaml
|
||||
resource: test/scenarios/resources/resource_default_namespace.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
|
||||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_validate_default_proc_mount.yaml
|
||||
resource: examples/best_practices/resources/resource_validate_default_proc_mount.yaml
|
||||
policy: test/scenarios/validate/policy_validate_default_proc_mount.yaml
|
||||
resource: test/scenarios/resources/resource_validate_default_proc_mount.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/deny_runasrootuser.yaml
|
||||
resource: test/manifest/deny_runasrootuser.yaml
|
||||
resource: test/scenarios/resources/deny_runasrootuser.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/disallow_automountingapicred.yaml
|
||||
resource: test/manifest/disallow_automountingapicred.yaml
|
||||
resource: test/scenarios/resources/disallow_automountingapicred.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/disallow_default_namespace.yaml
|
||||
resource: test/manifest/disallow_default_namespace.yaml
|
||||
resource: test/scenarios/resources/disallow_default_namespace.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_validate_disallow_default_serviceaccount.yaml
|
||||
resource: examples/best_practices/resources/resource_validate_disallow_default_serviceaccount.yaml
|
||||
policy: test/scenarios/validate/policy_validate_disallow_default_serviceaccount.yaml
|
||||
resource: test/scenarios/resources/resource_validate_disallow_default_serviceaccount.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/disallow_host_filesystem.yaml
|
||||
resource: test/manifest/disallow_host_filesystem.yaml
|
||||
resource: test/scenarios/resources/disallow_host_filesystem.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/disallow_host_filesystem.yaml
|
||||
resource: test/manifest/disallow_host_filesystem_pass.yaml
|
||||
resource: test/scenarios/resources/disallow_host_filesystem_pass.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/disallow_host_network_hostport.yaml
|
||||
resource: test/manifest/disallow_host_network_hostport.yaml
|
||||
resource: test/scenarios/resources/disallow_host_network_hostport.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/disallow_hostpid_hostipc.yaml
|
||||
resource: test/manifest/disallow_hostpid_hostipc.yaml
|
||||
resource: test/scenarios/resources/disallow_hostpid_hostipc.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/disallow_node_port.yaml
|
||||
resource: test/manifest/disallow_node_port.yaml
|
||||
resource: test/scenarios/resources/disallow_node_port.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue