upate readme links and remove duplicate policies

2025-03-29 02:45:06 +00:00 · 2019-09-08 10:41:07 -07:00 · 2019-09-08 10:41:07 -07:00 · 59c1e83466
commit 59c1e83466
parent 10c1490817
46 changed files with 207 additions and 141 deletions
--- a/examples/best_practices/README.md
+++ b/examples/best_practices/README.md
@ -1,21 +1,19 @@
 # Best Practice Policies

-This folder contains recommended policies
-
 | Best practice                                  | Policy
 |------------------------------------------------|-----------------------------------------------------------------------|
-| Run as non-root user                           |                                                                       |
-| Disallow privileged and privilege escalation   |                                                                       |
-| Disallow use of host networking and ports      |                                                                       |
-| Disallow use of host filesystem                |                                                                       |
+| Run as non-root user                           | [policy_validate_deny_runasrootuser.yaml](policy_validate_deny_runasrootuser.yaml)                                                                           |
+| Disallow privileged and privilege escalation   | [policy_validate_container_disallow_priviledgedprivelegesecalation.yaml](policy_validate_container_disallow_priviledgedprivelegesecalation.yaml)             |
+| Disallow use of host networking and ports      |  [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml)                                                                            |
+| Disallow use of host filesystem                |  [policy_validate_host_path.yaml](policy_validate_host_path.yaml)                                                                                            |
 | Disallow hostPOD and hostIPC                   |                                                                       |
 | Require read only root filesystem              |                                                                       |
-| Disallow node ports                            |                                                                       |
-| Allow trusted registries                       |                                                                       |
-| Require resource requests and limits           | [container_resources.yaml](container_resources.yaml)                  |
-| Require pod liveness and readiness probes      |                                                                       |
-| Require an image tag                           |                                                                       |
-| Disallow latest tag and pull IfNotPresent      |                                                                       |
+| Disallow node ports                            |                                                                                                                  |
+| Allow trusted registries                       | [policy_validate_image_registries.yaml](policy_validate_image_registries.yaml)                                                                               |
+| Require resource requests and limits           | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml)                                                                                     |
+| Require pod liveness and readiness probes      | [policy_validate_pod_probes.yaml](policy_validate_pod_probes.yaml)                                                                                           |
+| Require an image tag                           | [policy_validate_image_tag_notspecified_deny.yaml](policy_validate_image_tag_notspecified_deny.yaml)                                                         |
+| Disallow latest tag and pull IfNotPresent      | [policy_validate_image_latest_ifnotpresent_deny.yaml](policy_validate_image_latest_ifnotpresent_deny.yaml)                                                   |
 | Require a namespace (disallow default)         |                                                                       |
 | Disallow use of kube-system namespace          |                                                                       |
 | Prevent mounting of service account secret     |                                                                       |
--- a/examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml
+++ b/examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml
@ -1,32 +1,11 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: check-container-security-context
+  name: validate-deny-privileged-disallowpriviligedescalation
 spec:
  validationFailureAction: "audit"
  rules:
-  - name: check-root-user
-    exclude:
-      resources:
-        namespaces: 
-        - kube-system
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Root user is not allowed. Set runAsNonRoot to true."
-      anyPattern:
-      - spec:
-          securityContext:
-            runAsNonRoot: true
-      # pattern:
-      #   spec:
-      #     containers:
-      #     - name: "*"
-      #       securityContext:
-      #         runAsNonRoot: true
-  - name: check-privilege
+  - name: deny-privileged-disallowpriviligedescalation
    exclude:
      resources:
        namespaces: 
@ -48,4 +27,4 @@ spec:
      #     - name: "*"
      #       securityContext:
      #         allowPrivilegeEscalation: false
-      #         privileged: false
+      #         privileged: false    
--- a/examples/best_practices/policy_validate_default_namespace.yaml
+++ b/examples/best_practices/policy_validate_default_namespace.yaml
--- a/examples/best_practices/policy_validate_deny_runasrootuser.yaml
+++ b/examples/best_practices/policy_validate_deny_runasrootuser.yaml
@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-deny-runasrootuser
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: deny-runasrootuser
+    exclude:
+      resources:
+        namespaces: 
+        - kube-system
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Root user is not allowed. Set runAsNonRoot to true."
+      anyPattern:
+      - spec:
+          securityContext:
+            runAsNonRoot: true
+      # pattern:
+      #   spec:
+      #     containers:
+      #     - name: "*"
+      #       securityContext:
+      #         runAsNonRoot: true
--- a/examples/best_practices/policy_validate_host_network_port.yaml
+++ b/examples/best_practices/policy_validate_host_network_port.yaml
--- a/examples/best_practices/policy_validate_host_path.yaml
+++ b/examples/best_practices/policy_validate_host_path.yaml
--- a/examples/best_practices/policy_validate_image_registries.yaml
+++ b/examples/best_practices/policy_validate_image_registries.yaml
--- a/examples/best_practices/resources/resource_default_namespace.yaml
+++ b/examples/best_practices/resources/resource_default_namespace.yaml
--- a/examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml
+++ b/examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml
--- a/examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml
+++ b/examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml
--- a/examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml
+++ b/examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml
--- a/examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml
+++ b/examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml
--- a/examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml
+++ b/examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml
--- a/examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml
+++ b/examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml
--- a/examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml
+++ b/examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml
--- a/examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml
+++ b/examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml
--- a/examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml
+++ b/examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml
--- a/examples/best_practices/resources/resource_validate_nonRootUser.yaml
+++ b/examples/best_practices/resources/resource_validate_nonRootUser.yaml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sec-ctx-unprivileged
+spec:
+  # securityContext:
+  #   runAsNonRoot: true
+  containers:
+  - name: imagen-with-hostpath
+    image: nginxinc/nginx-unprivileged
--- a/examples/best_practices/resources/resource_validate_pod_resources.yaml
+++ b/examples/best_practices/resources/resource_validate_pod_resources.yaml
--- a/examples/best_practices/validate_image_tag.yaml
+++ b/examples/best_practices/validate_image_tag.yaml
@ -1,34 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  annotations:
-    kyverno.io/category: images
-    kyverno.io/description: |
-      ......
-  name: validate-image
-spec:
-  rules:
-  - name: validate-tag
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "An image tag is required"    
-      pattern:
-        spec:
-          containers:
-          - image: "*:*"  
-  - name: validate-latest
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "imagePullPolicy 'Always' required with tag 'latest'"    
-      pattern:
-        spec:
-          containers:
-          - (image): "*latest"
-            imagePullPolicy: Always
-
--- a/examples/best_practices/validate_pod_probes.yaml
+++ b/examples/best_practices/validate_pod_probes.yaml
@ -1,25 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-probes
-spec:
-  validationFailureAction: "audit"
-  rules:
-  - name: check-probes
-    match:
-      resources:
-        kinds:
-        - Pod
-    # exclude:
-    #   namespaces:
-    #     - kube-system
-    validate:
-      message: "Liveness and readiness probes are required"
-      pattern:
-        spec:
-          containers:
-            livenessProbe:
-              periodSeconds: ">0"      
-            readinessProbe:
-              periodSeconds: ">0"
-
--- a/examples/best_practices/validate_pod_resources.yaml
+++ b/examples/best_practices/validate_pod_resources.yaml
@ -1,25 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: check-resources
-spec:
-  validationFailureAction: "audit"
-  rules:
-  - name: check-pod-resources
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "CPU and memory resource requests and limits are required"
-      pattern:
-        spec:
-          containers:
-          - name: "*"
-            resources:
-              requests:
-                memory: "?*"
-                cpu: "?*"
-              limits:
-                memory: "?*"
-                cpu: "?*"
--- a/examples/resources/resource_generate_networkPolicy.yaml
+++ b/examples/resources/resource_generate_networkPolicy.yaml
@ -0,0 +1,4 @@
+kind: Namespace
+apiVersion: v1
+metadata: 
+    name: "devtest"
--- a/examples/resources/resource_mutate_endpoint.yaml
+++ b/examples/resources/resource_mutate_endpoint.yaml
@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: test-endpoint
+  labels:
+    label : test
+subsets:
+- addresses:
+  - ip: 192.168.10.171
+  ports:
+  - name: secure-connection
+    port: 443
+    protocol: TCP
--- a/examples/resources/resource_mutate_imagePullPolicy.yaml
+++ b/examples/resources/resource_mutate_imagePullPolicy.yaml
@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginxlatest
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginxlatest
+  template:
+    metadata:
+      labels:
+        app: nginxlatest
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
+        imagePullPolicy: Always
--- a/examples/resources/resource_mutate_validate_qos.yaml
+++ b/examples/resources/resource_mutate_validate_qos.yaml
@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: qos-demo
+  labels:
+    test: qos
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
+        resources:
+          limits:
+            cpu: "50m"
--- a/examples/resources/resource_validate_containerSecurityContext.yaml
+++ b/examples/resources/resource_validate_containerSecurityContext.yaml
@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: csc-demo-unprivileged
+  labels:
+    app.type: prod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: psp
+  template:
+    metadata:
+      labels:
+        app: psp
+    spec:
+      containers:
+      - name: sec-ctx-unprivileged
+        image: nginxinc/nginx-unprivileged
+        securityContext:
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
--- a/examples/resources/resource_validate_healthChecks.yaml
+++ b/examples/resources/resource_validate_healthChecks.yaml
@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    test: probe
+  name: probe
+spec:
+  containers:
+  - name: check-readiness
+    image: k8s.gcr.io/busybox
+    args:
+    - /bin/sh
+    - -c
+    - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
+    readinessProbe:
+      successThreshold: 3
+      exec:
+        command:
+        - cat
+        - /tmp/healthy
+  - name: check-liveness
+    image: k8s.gcr.io/liveness
+    args:
+    - /server
+    livenessProbe:
+      httpGet:
+        path: /healthz
+        port: 8080
+        scheme: HTTP
+        httpHeaders:
+        - name: Custom-Header
+          value: Awesome
+      periodSeconds: 3
--- a/examples/resources/resource_validate_imageRegistries.yaml
+++ b/examples/resources/resource_validate_imageRegistries.yaml
@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nirmata-nginx
+  labels:
+    app: nirmata-nginx
+    cli: test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nirmata-nginx
+        # image: nginx
+        image: nirmata/nginx
--- a/test/scenarios/test/scenario_generate_networkPolicy.yaml
+++ b/test/scenarios/test/scenario_generate_networkPolicy.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/policy_generate_networkPolicy.yaml
-  resource: examples/resource_generate_networkPolicy.yaml
+  resource: examples/resources/resource_generate_networkPolicy.yaml
 expected:
  generation:
    generatedResources:
--- a/test/scenarios/test/scenario_mutate_endPpoint.yaml
+++ b/test/scenarios/test/scenario_mutate_endPpoint.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/policy_mutate_endpoint.yaml
-  resource: examples/resource_mutate_endpoint.yaml
+  resource: examples/resources/resource_mutate_endpoint.yaml
 expected:
  mutation:
    patchedresource: test/output/output_mutate_endpoint.yaml
--- a/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml
+++ b/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/policy_mutate_imagePullPolicy.yaml
-  resource: examples/resource_mutate_imagePullPolicy.yaml
+  resource: examples/resources/resource_mutate_imagePullPolicy.yaml
 expected:
  mutation:
    patchedresource: test/output/output_mutate_imagePullPolicy.yaml
--- a/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml
+++ b/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml
-  resource: examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml
+  resource: examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml
 expected:
  mutation:
    patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml
--- a/test/scenarios/test/scenario_mutate_validate_qos.yaml
+++ b/test/scenarios/test/scenario_mutate_validate_qos.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/policy_mutate_validate_qos.yaml
-  resource: examples/resource_mutate_validate_qos.yaml
+  resource: examples/resources/resource_mutate_validate_qos.yaml
 expected:
  mutation:
    patchedresource: test/output/output_mutate_validate_qos.yaml
--- a/test/scenarios/test/scenario_validate_containerSecurityContext.yaml
+++ b/test/scenarios/test/scenario_validate_containerSecurityContext.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/policy_validate_containerSecurityContext.yaml
-  resource: examples/resource_validate_containerSecurityContext.yaml
+  resource: examples/resources/resource_validate_containerSecurityContext.yaml
 expected:
  validation:
    policyresponse:
--- a/test/scenarios/test/scenario_validate_healthChecks.yaml
+++ b/test/scenarios/test/scenario_validate_healthChecks.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/policy_validate_healthChecks.yaml
-  resource: examples/resource_validate_healthChecks.yaml
+  resource: examples/resources/resource_validate_healthChecks.yaml
 expected:
  validation:
    policyresponse:
--- a/test/scenarios/test/scenario_validate_imageRegistries.yaml
+++ b/test/scenarios/test/scenario_validate_imageRegistries.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/policy_validate_imageRegistries.yaml
-  resource: examples/resource_validate_imageRegistries.yaml
+  resource: examples/resources/resource_validate_imageRegistries.yaml
 expected:
  validation:
    policyresponse:
--- a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml
+++ b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml
-  resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml
+  resource: examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml
 expected:
  validation:
    policyresponse:
--- a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml
+++ b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml
-  resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml
+  resource: examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml
 expected:
  validation:
    policyresponse:
--- a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml
+++ b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml
-  resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml
+  resource: examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml
 expected:
  validation:
    policyresponse:
--- a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml
+++ b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml
-  resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml
+  resource: examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml
 expected:
  validation:
    policyresponse:
--- a/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml
+++ b/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml
-  resource: examples/best_practices/resource_validate_image_tag_latest_deny.yaml
+  resource: examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml
 expected:
  validation:
    policyresponse:
--- a/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml
+++ b/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml
-  resource: examples/best_practices/resource_validate_image_tag_latest_pass.yaml
+  resource: examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml
 expected:
  validation:
    policyresponse:
--- a/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml
+++ b/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml
-  resource: examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml
+  resource: examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml
 expected:
  validation:
    policyresponse:
--- a/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml
+++ b/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml
@ -1,7 +1,7 @@
 # file path relative to project root
 input:
  policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml
-  resource: examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml
+  resource: examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml
 expected:
  validation:
    policyresponse:
--- a/test/scenarios/test/scenario_validate_nonRootUser.yaml
+++ b/test/scenarios/test/scenario_validate_nonRootUser.yaml
@ -1,18 +1,18 @@
 # file path relative to project root
 input:
-  policy: examples/policy_validate_nonRootUser.yaml
-  resource: examples/resource_validate_nonRootUser.yaml
+  policy: examples/best_practices/policy_validate_deny_runasrootuser.yaml
+  resource: examples/best_practices/resources/resource_validate_nonRootUser.yaml
 expected:
  validation:
    policyresponse:
-      policy: check-container-security-context
+      policy: validate-deny-runasrootuser
      resource:
        kind: Pod
        apiVersion: v1
        namespace: ''
        name: sec-ctx-unprivileged
      rules:
-        - name: check-root-user
+        - name: deny-runasrootuser
          type: Validation
-          message: Validation rule 'check-root-user' failed to validate patterns defined in anyPattern. Root user is not allowed. Set runAsNonRoot to true.; anyPattern[0] failed at path /spec/securityContext/; anyPattern[1] failed at path /spec/containers/0/securityContext/
+          message: Validation rule 'deny-runasrootuser' failed to validate patterns defined in anyPattern. Root user is not allowed. Set runAsNonRoot to true.; anyPattern[0] failed at path /spec/securityContext/
          success: false