mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Add severity to pod security policies (#1797)

Browse source 
Signed-off-by: Frank Jogeleit <fj@move-elevator.de>
This commit is contained in:
Frank Jogeleit 2021-04-17 02:41:30 +02:00 committed by GitHub
parent 69c3418ca9
commit 56183cc73d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 45 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
charts/kyverno/README.md
View file

@ -103,6 +103,7 @@ The following table lists the configurable parameters of the kyverno chart and t
| `tolerations` | list of node taints to tolerate | `[]` |
| `securityContext` | security context configuration | `{}` |
| `podSecurityStandard` | set desired pod security level `privileged`, `default`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `default` |
| `podSecuritySeverity` | set desired pod security severity `low`, `medium`, `high`. Used severity level in PolicyReportResults for the selected pod security policies. | `medium` |
| `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` |
| `validationFailureAction` | set to get response in failed validation check. Supported values- `audit`, `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` |

3
charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
View file

@ -6,6 +6,9 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
Capabilities permit privileged actions without giving full root access.
Adding capabilities beyond the default set must not be allowed.

3
charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
View file

@ -6,6 +6,9 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
network namespace) allow access to shared information and can be used to elevate

3
charts/kyverno/templates/policies/default/disallow-host-path.yaml
View file

@ -6,6 +6,9 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
HostPath volumes let pods use host directories and volumes in containers.
Using host resources can be used to access shared data or escalate privileges

3
charts/kyverno/templates/policies/default/disallow-host-ports.yaml
View file

@ -6,6 +6,9 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
Access to host ports allows potential snooping of network traffic and should not be
allowed, or at minimum restricted to a known list.

3
charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
View file

@ -6,6 +6,9 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
Privileged mode disables most security mechanisms and must not be allowed.
spec:

3
charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
View file

@ -6,6 +6,9 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
The default /proc masks are set up to reduce attack surface and should be required.
spec:

3
charts/kyverno/templates/policies/default/disallow-selinux.yaml
View file

@ -7,6 +7,9 @@ metadata:
annotations:
policies.kyverno.io/title: Disallow SELinux
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
SELinux options can be used to escalate privileges and should not be allowed.
spec:

3
charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
View file

@ -7,6 +7,9 @@ metadata:
annotations:
policies.kyverno.io/title: Restrict AppArmor
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
The default policy should prevent overriding or disabling the policy, or restrict

3
charts/kyverno/templates/policies/default/restrict-sysctls.yaml
View file

@ -6,6 +6,9 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
Sysctls can disable security mechanisms or affect all containers on a
host, and should be disallowed except for an allowed "safe" subset. A

3
charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml
View file

@ -6,6 +6,9 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
spec:

3
charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
View file

@ -6,6 +6,9 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
Containers should be forbidden from running with a root primary or supplementary GID.
spec:

3
charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml
View file

@ -6,6 +6,9 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: Containers must be required to run as non-root users.
spec:
background: true

3
charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml
View file

@ -7,6 +7,9 @@ metadata:
annotations:
policies.kyverno.io/title: Restrict Seccomp
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
The runtime default seccomp profile must be required, or only specific
additional profiles should be allowed.

3
charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml
View file

@ -6,6 +6,9 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
policies.kyverno.io/description: >-
In addition to restricting HostPath volumes, the restricted pod security profile
limits usage of non-core volume types to those defined through PersistentVolumes.

2
charts/kyverno/values.yaml
View file

@ -4,6 +4,8 @@ namespace:
# Supported- default/restricted/privileged/custom
# For more info- https://kyverno.io/policies/pod-security
podSecurityStandard: default
# Supported- low/medium/high
podSecuritySeverity: medium
# Policies to include when podSecurityStandard is custom
podSecurityPolicies: []
# Supported values- `audit`, `enforce`