diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 4d73304eb8..e1e3a39900 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -103,6 +103,7 @@ The following table lists the configurable parameters of the kyverno chart and t | `tolerations` | list of node taints to tolerate | `[]` | | `securityContext` | security context configuration | `{}` | | `podSecurityStandard` | set desired pod security level `privileged`, `default`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `default` | +| `podSecuritySeverity` | set desired pod security severity `low`, `medium`, `high`. Used severity level in PolicyReportResults for the selected pod security policies. | `medium` | | `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` | | `validationFailureAction` | set to get response in failed validation check. Supported values- `audit`, `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` | diff --git a/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml b/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml index 802f1adf98..8c2218d08a 100644 --- a/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml +++ b/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml @@ -6,6 +6,9 @@ metadata: name: {{ $name }} annotations: policies.kyverno.io/category: Pod Security Standards (Default) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. diff --git a/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml b/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml index b99076ffeb..114abbb0ea 100644 --- a/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml +++ b/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml @@ -6,6 +6,9 @@ metadata: name: {{ $name }} annotations: policies.kyverno.io/category: Pod Security Standards (Default) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate diff --git a/charts/kyverno/templates/policies/default/disallow-host-path.yaml b/charts/kyverno/templates/policies/default/disallow-host-path.yaml index f0ae2f13ab..4226495bbf 100644 --- a/charts/kyverno/templates/policies/default/disallow-host-path.yaml +++ b/charts/kyverno/templates/policies/default/disallow-host-path.yaml @@ -6,6 +6,9 @@ metadata: name: {{ $name }} annotations: policies.kyverno.io/category: Pod Security Standards (Default) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- HostPath volumes let pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges diff --git a/charts/kyverno/templates/policies/default/disallow-host-ports.yaml b/charts/kyverno/templates/policies/default/disallow-host-ports.yaml index ac71ce3cc6..3625f64348 100644 --- a/charts/kyverno/templates/policies/default/disallow-host-ports.yaml +++ b/charts/kyverno/templates/policies/default/disallow-host-ports.yaml @@ -6,6 +6,9 @@ metadata: name: {{ $name }} annotations: policies.kyverno.io/category: Pod Security Standards (Default) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. diff --git a/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml b/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml index 80e7c7eb30..5fb6cb4f24 100644 --- a/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml +++ b/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml @@ -6,6 +6,9 @@ metadata: name: {{ $name }} annotations: policies.kyverno.io/category: Pod Security Standards (Default) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- Privileged mode disables most security mechanisms and must not be allowed. spec: diff --git a/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml b/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml index 0a0589ea30..7cdc211410 100644 --- a/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml +++ b/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml @@ -6,6 +6,9 @@ metadata: name: {{ $name }} annotations: policies.kyverno.io/category: Pod Security Standards (Default) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- The default /proc masks are set up to reduce attack surface and should be required. spec: diff --git a/charts/kyverno/templates/policies/default/disallow-selinux.yaml b/charts/kyverno/templates/policies/default/disallow-selinux.yaml index ab9eab833f..8840409446 100644 --- a/charts/kyverno/templates/policies/default/disallow-selinux.yaml +++ b/charts/kyverno/templates/policies/default/disallow-selinux.yaml @@ -7,6 +7,9 @@ metadata: annotations: policies.kyverno.io/title: Disallow SELinux policies.kyverno.io/category: Pod Security Standards (Default) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- SELinux options can be used to escalate privileges and should not be allowed. spec: diff --git a/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml b/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml index 792adc36e7..58b403415c 100644 --- a/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml +++ b/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml @@ -7,6 +7,9 @@ metadata: annotations: policies.kyverno.io/title: Restrict AppArmor policies.kyverno.io/category: Pod Security Standards (Default) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- On supported hosts, the 'runtime/default' AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict diff --git a/charts/kyverno/templates/policies/default/restrict-sysctls.yaml b/charts/kyverno/templates/policies/default/restrict-sysctls.yaml index ab3d2d7e92..12b6c8db08 100644 --- a/charts/kyverno/templates/policies/default/restrict-sysctls.yaml +++ b/charts/kyverno/templates/policies/default/restrict-sysctls.yaml @@ -6,6 +6,9 @@ metadata: name: {{ $name }} annotations: policies.kyverno.io/category: Pod Security Standards (Default) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A diff --git a/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml b/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml index 9177b2f1a1..4dd41ceba5 100644 --- a/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml +++ b/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml @@ -6,6 +6,9 @@ metadata: name: {{ $name }} annotations: policies.kyverno.io/category: Pod Security Standards (Restricted) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. spec: diff --git a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml index 2fd0cc121e..b1b43d8159 100644 --- a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml +++ b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml @@ -6,6 +6,9 @@ metadata: name: {{ $name }} annotations: policies.kyverno.io/category: Pod Security Standards (Restricted) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- Containers should be forbidden from running with a root primary or supplementary GID. spec: diff --git a/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml b/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml index 0d6eaba155..8d140463f8 100644 --- a/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml +++ b/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml @@ -6,6 +6,9 @@ metadata: name: {{ $name }} annotations: policies.kyverno.io/category: Pod Security Standards (Restricted) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: Containers must be required to run as non-root users. spec: background: true diff --git a/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml b/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml index 5b96246ab1..c7e171f255 100644 --- a/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml +++ b/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml @@ -7,6 +7,9 @@ metadata: annotations: policies.kyverno.io/title: Restrict Seccomp policies.kyverno.io/category: Pod Security Standards (Restricted) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- The runtime default seccomp profile must be required, or only specific additional profiles should be allowed. diff --git a/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml b/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml index 8ef906a5bb..189081c000 100644 --- a/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml +++ b/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml @@ -6,6 +6,9 @@ metadata: name: {{ $name }} annotations: policies.kyverno.io/category: Pod Security Standards (Restricted) + {{- if .Values.podSecuritySeverity }} + policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} + {{- end -}} policies.kyverno.io/description: >- In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index fbeef11bc5..6add45e1af 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -4,6 +4,8 @@ namespace: # Supported- default/restricted/privileged/custom # For more info- https://kyverno.io/policies/pod-security podSecurityStandard: default +# Supported- low/medium/high +podSecuritySeverity: medium # Policies to include when podSecurityStandard is custom podSecurityPolicies: [] # Supported values- `audit`, `enforce`