mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
chore: fix policies (#8449)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
f9c85f447d
commit
6a43ec4bcf
42 changed files with 820 additions and 637 deletions
4
Makefile
4
Makefile
|
@ -547,12 +547,12 @@ codegen-docs-all: codegen-helm-docs codegen-cli-docs codegen-api-docs ## Genera
|
|||
.PHONY: codegen-fix-tests
|
||||
codegen-fix-tests: $(CLI_BIN) ## Fix CLI test files
|
||||
@echo Fix CLI test files... >&2
|
||||
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix test ./test/cli --save --compress --force
|
||||
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix test . --save --compress --force
|
||||
|
||||
.PHONY: codegen-fix-policies
|
||||
codegen-fix-policies: $(CLI_BIN) ## Fix CLI policy files
|
||||
@echo Fix CLI policy files... >&2
|
||||
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix policy ./test/cli/test --save
|
||||
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix policy . --save
|
||||
|
||||
.PHONY: codegen-cli-all
|
||||
codegen-cli-all: codegen-cli-crds codegen-cli-docs codegen-cli-api-docs codegen-fix-tests ## Generate all CLI related code and docs
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
name: test-registry
|
||||
apiVersion: cli.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
name: test-registry
|
||||
policies:
|
||||
- image-example.yaml
|
||||
resources:
|
||||
|
@ -8,11 +11,6 @@ results:
|
|||
policy: images
|
||||
resources:
|
||||
- test-pod-with-non-root-user-image
|
||||
result: pass
|
||||
rule: only-allow-trusted-images
|
||||
- kind: Pod
|
||||
policy: images
|
||||
resources:
|
||||
- test-pod-with-trusted-registry
|
||||
result: pass
|
||||
rule: only-allow-trusted-images
|
||||
|
|
|
@ -1,16 +1,12 @@
|
|||
name: add-quota
|
||||
apiVersion: cli.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
name: add-quota
|
||||
policies:
|
||||
- policy.yaml
|
||||
resources:
|
||||
- resource.yaml
|
||||
results:
|
||||
- generatedResource: generatedResourceQuota.yaml
|
||||
kind: Namespace
|
||||
policy: add-ns-quota
|
||||
resources:
|
||||
- hello-world-namespace
|
||||
result: pass
|
||||
rule: generate-resourcequota
|
||||
- generatedResource: generatedLimitRange.yaml
|
||||
kind: Namespace
|
||||
policy: add-ns-quota
|
||||
|
@ -18,3 +14,10 @@ results:
|
|||
- hello-world-namespace
|
||||
result: pass
|
||||
rule: generate-limitrange
|
||||
- generatedResource: generatedResourceQuota.yaml
|
||||
kind: Namespace
|
||||
policy: add-ns-quota
|
||||
resources:
|
||||
- hello-world-namespace
|
||||
result: pass
|
||||
rule: generate-resourcequota
|
||||
|
|
|
@ -107,6 +107,18 @@ func (o options) processFile(out io.Writer, path string) {
|
|||
rule := rule.(map[string]interface{})
|
||||
unstructured.RemoveNestedField(rule, "exclude", "resources")
|
||||
unstructured.RemoveNestedField(rule, "match", "resources")
|
||||
if any, ok, err := unstructured.NestedFieldNoCopy(rule, "match", "any"); ok && err == nil {
|
||||
cleanResourceFilters(any.([]interface{}))
|
||||
}
|
||||
if all, ok, err := unstructured.NestedFieldNoCopy(rule, "match", "all"); ok && err == nil {
|
||||
cleanResourceFilters(all.([]interface{}))
|
||||
}
|
||||
if any, ok, err := unstructured.NestedFieldNoCopy(rule, "exclude", "any"); ok && err == nil {
|
||||
cleanResourceFilters(any.([]interface{}))
|
||||
}
|
||||
if all, ok, err := unstructured.NestedFieldNoCopy(rule, "exclude", "all"); ok && err == nil {
|
||||
cleanResourceFilters(all.([]interface{}))
|
||||
}
|
||||
if item, _, _ := unstructured.NestedMap(rule, "generate", "clone"); len(item) == 0 {
|
||||
unstructured.RemoveNestedField(rule, "generate", "clone")
|
||||
}
|
||||
|
@ -165,3 +177,12 @@ func (o options) processFile(out io.Writer, path string) {
|
|||
fmt.Fprintln(out, " OK")
|
||||
}
|
||||
}
|
||||
|
||||
func cleanResourceFilters(rf []interface{}) {
|
||||
for _, f := range rf {
|
||||
a := f.(map[string]interface{})
|
||||
if item, _, _ := unstructured.NestedMap(a, "resources"); len(item) == 0 {
|
||||
unstructured.RemoveNestedField(a, "resources")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -10,6 +10,8 @@ import (
|
|||
"github.com/go-git/go-billy/v5/memfs"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/v1alpha1"
|
||||
"gotest.tools/assert"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
func TestLoadTests(t *testing.T) {
|
||||
|
@ -47,7 +49,13 @@ func TestLoadTests(t *testing.T) {
|
|||
want: []TestCase{{
|
||||
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
||||
Test: &v1alpha1.Test{
|
||||
Name: "test-registry",
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
APIVersion: "cli.kyverno.io/v1alpha1",
|
||||
Kind: "Test",
|
||||
},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "test-registry",
|
||||
},
|
||||
Policies: []string{"image-example.yaml"},
|
||||
Resources: []string{"resources.yaml"},
|
||||
Results: []v1alpha1.TestResult{{
|
||||
|
@ -57,15 +65,10 @@ func TestLoadTests(t *testing.T) {
|
|||
Result: policyreportv1alpha2.StatusPass,
|
||||
Rule: "only-allow-trusted-images",
|
||||
},
|
||||
Resources: []string{"test-pod-with-non-root-user-image"},
|
||||
}, {
|
||||
TestResultBase: v1alpha1.TestResultBase{
|
||||
Kind: "Pod",
|
||||
Policy: "images",
|
||||
Result: policyreportv1alpha2.StatusPass,
|
||||
Rule: "only-allow-trusted-images",
|
||||
Resources: []string{
|
||||
"test-pod-with-non-root-user-image",
|
||||
"test-pod-with-trusted-registry",
|
||||
},
|
||||
Resources: []string{"test-pod-with-trusted-registry"},
|
||||
}},
|
||||
},
|
||||
}},
|
||||
|
@ -77,7 +80,13 @@ func TestLoadTests(t *testing.T) {
|
|||
want: []TestCase{{
|
||||
Path: "../_testdata/tests/test-2/kyverno-test.yaml",
|
||||
Test: &v1alpha1.Test{
|
||||
Name: "add-quota",
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
APIVersion: "cli.kyverno.io/v1alpha1",
|
||||
Kind: "Test",
|
||||
},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "add-quota",
|
||||
},
|
||||
Policies: []string{"policy.yaml"},
|
||||
Resources: []string{"resource.yaml"},
|
||||
Results: []v1alpha1.TestResult{{
|
||||
|
@ -85,8 +94,8 @@ func TestLoadTests(t *testing.T) {
|
|||
Kind: "Namespace",
|
||||
Policy: "add-ns-quota",
|
||||
Result: policyreportv1alpha2.StatusPass,
|
||||
Rule: "generate-resourcequota",
|
||||
GeneratedResource: "generatedResourceQuota.yaml",
|
||||
Rule: "generate-limitrange",
|
||||
GeneratedResource: "generatedLimitRange.yaml",
|
||||
},
|
||||
Resources: []string{"hello-world-namespace"},
|
||||
}, {
|
||||
|
@ -94,8 +103,8 @@ func TestLoadTests(t *testing.T) {
|
|||
Kind: "Namespace",
|
||||
Policy: "add-ns-quota",
|
||||
Result: policyreportv1alpha2.StatusPass,
|
||||
Rule: "generate-limitrange",
|
||||
GeneratedResource: "generatedLimitRange.yaml",
|
||||
Rule: "generate-resourcequota",
|
||||
GeneratedResource: "generatedResourceQuota.yaml",
|
||||
},
|
||||
Resources: []string{"hello-world-namespace"},
|
||||
}},
|
||||
|
@ -109,7 +118,13 @@ func TestLoadTests(t *testing.T) {
|
|||
want: []TestCase{{
|
||||
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
||||
Test: &v1alpha1.Test{
|
||||
Name: "test-registry",
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
APIVersion: "cli.kyverno.io/v1alpha1",
|
||||
Kind: "Test",
|
||||
},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "test-registry",
|
||||
},
|
||||
Policies: []string{"image-example.yaml"},
|
||||
Resources: []string{"resources.yaml"},
|
||||
Results: []v1alpha1.TestResult{{
|
||||
|
@ -119,21 +134,22 @@ func TestLoadTests(t *testing.T) {
|
|||
Result: policyreportv1alpha2.StatusPass,
|
||||
Rule: "only-allow-trusted-images",
|
||||
},
|
||||
Resources: []string{"test-pod-with-non-root-user-image"},
|
||||
}, {
|
||||
TestResultBase: v1alpha1.TestResultBase{
|
||||
Kind: "Pod",
|
||||
Policy: "images",
|
||||
Result: policyreportv1alpha2.StatusPass,
|
||||
Rule: "only-allow-trusted-images",
|
||||
Resources: []string{
|
||||
"test-pod-with-non-root-user-image",
|
||||
"test-pod-with-trusted-registry",
|
||||
},
|
||||
Resources: []string{"test-pod-with-trusted-registry"},
|
||||
}},
|
||||
},
|
||||
}, {
|
||||
Path: "../_testdata/tests/test-2/kyverno-test.yaml",
|
||||
Test: &v1alpha1.Test{
|
||||
Name: "add-quota",
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
APIVersion: "cli.kyverno.io/v1alpha1",
|
||||
Kind: "Test",
|
||||
},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "add-quota",
|
||||
},
|
||||
Policies: []string{"policy.yaml"},
|
||||
Resources: []string{"resource.yaml"},
|
||||
Results: []v1alpha1.TestResult{{
|
||||
|
@ -141,8 +157,8 @@ func TestLoadTests(t *testing.T) {
|
|||
Kind: "Namespace",
|
||||
Policy: "add-ns-quota",
|
||||
Result: policyreportv1alpha2.StatusPass,
|
||||
Rule: "generate-resourcequota",
|
||||
GeneratedResource: "generatedResourceQuota.yaml",
|
||||
Rule: "generate-limitrange",
|
||||
GeneratedResource: "generatedLimitRange.yaml",
|
||||
},
|
||||
Resources: []string{"hello-world-namespace"},
|
||||
}, {
|
||||
|
@ -150,8 +166,8 @@ func TestLoadTests(t *testing.T) {
|
|||
Kind: "Namespace",
|
||||
Policy: "add-ns-quota",
|
||||
Result: policyreportv1alpha2.StatusPass,
|
||||
Rule: "generate-limitrange",
|
||||
GeneratedResource: "generatedLimitRange.yaml",
|
||||
Rule: "generate-resourcequota",
|
||||
GeneratedResource: "generatedResourceQuota.yaml",
|
||||
},
|
||||
Resources: []string{"hello-world-namespace"},
|
||||
}},
|
||||
|
@ -198,7 +214,13 @@ func TestLoadTest(t *testing.T) {
|
|||
want: TestCase{
|
||||
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
||||
Test: &v1alpha1.Test{
|
||||
Name: "test-registry",
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
APIVersion: "cli.kyverno.io/v1alpha1",
|
||||
Kind: "Test",
|
||||
},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "test-registry",
|
||||
},
|
||||
Policies: []string{"image-example.yaml"},
|
||||
Resources: []string{"resources.yaml"},
|
||||
Results: []v1alpha1.TestResult{{
|
||||
|
@ -208,15 +230,10 @@ func TestLoadTest(t *testing.T) {
|
|||
Result: policyreportv1alpha2.StatusPass,
|
||||
Rule: "only-allow-trusted-images",
|
||||
},
|
||||
Resources: []string{"test-pod-with-non-root-user-image"},
|
||||
}, {
|
||||
TestResultBase: v1alpha1.TestResultBase{
|
||||
Kind: "Pod",
|
||||
Policy: "images",
|
||||
Result: policyreportv1alpha2.StatusPass,
|
||||
Rule: "only-allow-trusted-images",
|
||||
Resources: []string{
|
||||
"test-pod-with-non-root-user-image",
|
||||
"test-pod-with-trusted-registry",
|
||||
},
|
||||
Resources: []string{"test-pod-with-trusted-registry"},
|
||||
}},
|
||||
},
|
||||
},
|
||||
|
@ -226,7 +243,13 @@ func TestLoadTest(t *testing.T) {
|
|||
want: TestCase{
|
||||
Path: "kyverno-test.yaml",
|
||||
Test: &v1alpha1.Test{
|
||||
Name: "test-registry",
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
APIVersion: "cli.kyverno.io/v1alpha1",
|
||||
Kind: "Test",
|
||||
},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "test-registry",
|
||||
},
|
||||
Policies: []string{"image-example.yaml"},
|
||||
Resources: []string{"resources.yaml"},
|
||||
Results: []v1alpha1.TestResult{{
|
||||
|
@ -236,15 +259,10 @@ func TestLoadTest(t *testing.T) {
|
|||
Result: policyreportv1alpha2.StatusPass,
|
||||
Rule: "only-allow-trusted-images",
|
||||
},
|
||||
Resources: []string{"test-pod-with-non-root-user-image"},
|
||||
}, {
|
||||
TestResultBase: v1alpha1.TestResultBase{
|
||||
Kind: "Pod",
|
||||
Policy: "images",
|
||||
Result: policyreportv1alpha2.StatusPass,
|
||||
Rule: "only-allow-trusted-images",
|
||||
Resources: []string{
|
||||
"test-pod-with-non-root-user-image",
|
||||
"test-pod-with-trusted-registry",
|
||||
},
|
||||
Resources: []string{"test-pod-with-trusted-registry"},
|
||||
}},
|
||||
},
|
||||
},
|
||||
|
@ -288,10 +306,9 @@ func TestLoadTest(t *testing.T) {
|
|||
return
|
||||
}
|
||||
got.Err = nil
|
||||
tt.want.Fs = tt.fs
|
||||
if !reflect.DeepEqual(got, tt.want) {
|
||||
t.Errorf("LoadTest() = %v, want %v", got, tt.want)
|
||||
}
|
||||
tt.want.Fs = nil
|
||||
got.Fs = nil
|
||||
assert.DeepEqual(t, tt.want, got)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,20 +1,24 @@
|
|||
# A file with no reserved name "assert" or "errors" will be created with the below contents. Can be multiple YAML docs in the same file.
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-labels
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: add-labels
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- Service
|
||||
- ConfigMap
|
||||
- Secret
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- Service
|
||||
- ConfigMap
|
||||
- Secret
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
foo: bar
|
||||
name: add-labels
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,19 +1,24 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-labels
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: add-labels
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- Service
|
||||
- ConfigMap
|
||||
- Secret
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- Service
|
||||
- ConfigMap
|
||||
- Secret
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
foo: bar
|
||||
foo: bar
|
||||
name: add-labels
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,13 +1,16 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: testcase-7fki3
|
||||
spec:
|
||||
schemaValidation: false
|
||||
admission: true
|
||||
background: false
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: mutate1
|
||||
- context:
|
||||
- name: var1
|
||||
variable:
|
||||
value: AAA
|
||||
match:
|
||||
all:
|
||||
- resources:
|
||||
|
@ -15,31 +18,27 @@ spec:
|
|||
- v1/ConfigMap
|
||||
names:
|
||||
- testcase-7fki3-resource
|
||||
context:
|
||||
- name: var1
|
||||
variable:
|
||||
value: AAA
|
||||
mutate:
|
||||
foreach:
|
||||
- list: '[''dummy'']'
|
||||
patchStrategicMerge:
|
||||
data:
|
||||
from_loop_1: '{{ var1 || ''!!!variable not resolved!!!'' }}'
|
||||
- list: '[''dummy'']'
|
||||
patchStrategicMerge:
|
||||
data:
|
||||
from_loop_2: '{{ var1 || ''!!!variable not resolved!!!'' }}'
|
||||
- list: '[''dummy'']'
|
||||
patchStrategicMerge:
|
||||
data:
|
||||
from_loop_3: '{{ var1 || ''!!!variable not resolved!!!'' }}'
|
||||
name: mutate1
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation }}"
|
||||
operator: In
|
||||
- key: '{{ request.operation }}'
|
||||
operator: AllIn
|
||||
value:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
mutate:
|
||||
foreach:
|
||||
# first loop
|
||||
- list: "['dummy']"
|
||||
patchStrategicMerge:
|
||||
data:
|
||||
from_loop_1: "{{ var1 || '!!!variable not resolved!!!' }}"
|
||||
# second loop
|
||||
- list: "['dummy']"
|
||||
patchStrategicMerge:
|
||||
data:
|
||||
from_loop_2: "{{ var1 || '!!!variable not resolved!!!' }}"
|
||||
# third loop
|
||||
- list: "['dummy']"
|
||||
patchStrategicMerge:
|
||||
data:
|
||||
from_loop_3: "{{ var1 || '!!!variable not resolved!!!' }}"
|
||||
schemaValidation: false
|
||||
validationFailureAction: Enforce
|
||||
|
|
|
@ -1,29 +1,31 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-latest-tag-events-creation
|
||||
annotations:
|
||||
policies.kyverno.io/title: Disallow Latest Tag
|
||||
policies.kyverno.io/category: Best Practices
|
||||
policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead
|
||||
to unexpected errors if the image changes. A best practice is to use an immutable
|
||||
tag that maps to a specific version of an application Pod. This policy validates
|
||||
that the image specifies a tag and that it is not called `latest`. '
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
The ':latest' tag is mutable and can lead to unexpected errors if the
|
||||
image changes. A best practice is to use an immutable tag that maps to
|
||||
a specific version of an application Pod. This policy validates that the image
|
||||
specifies a tag and that it is not called `latest`.
|
||||
policies.kyverno.io/title: Disallow Latest Tag
|
||||
name: disallow-latest-tag-events-creation
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: validate-image-tag
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: validate-image-tag
|
||||
validate:
|
||||
message: "An image tag is required (:latest is not allowed)"
|
||||
message: An image tag is required (:latest is not allowed)
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- image: "!*:latest & *:*"
|
||||
- image: '!*:latest & *:*'
|
||||
validationFailureAction: Enforce
|
||||
|
|
|
@ -1,32 +1,36 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-remove-list-element-cpol
|
||||
annotations:
|
||||
policies.kyverno.io/category: Workload Management
|
||||
policies.kyverno.io/description: By default, Kubernetes allows communications across
|
||||
all pods within a cluster. Network policies and, a CNI that supports network policies,
|
||||
must be used to restrict communinications. A default NetworkPolicy should be configured
|
||||
for each namespace to default deny all ingress traffic to the pods in the namespace.
|
||||
Application teams can then configure additional NetworkPolicy resources to allow
|
||||
desired traffic to application pods from select sources.
|
||||
policies.kyverno.io/description: By default, Kubernetes allows communications
|
||||
across all pods within a cluster. Network policies and, a CNI that supports
|
||||
network policies, must be used to restrict communinications. A default NetworkPolicy
|
||||
should be configured for each namespace to default deny all ingress traffic
|
||||
to the pods in the namespace. Application teams can then configure additional
|
||||
NetworkPolicy resources to allow desired traffic to application pods from select
|
||||
sources.
|
||||
name: cpol-data-sync-remove-list-element-cpol
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: cpol-data-sync-remove-list-element-rule
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
generate:
|
||||
- generate:
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
name: default-netpol
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
synchronize : true
|
||||
data:
|
||||
spec:
|
||||
# select all pods in the namespace
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
policyTypes:
|
||||
- Ingress
|
||||
kind: NetworkPolicy
|
||||
name: default-netpol
|
||||
namespace: '{{request.object.metadata.name}}'
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
name: cpol-data-sync-remove-list-element-rule
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,33 +1,37 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-remove-list-element-cpol
|
||||
annotations:
|
||||
policies.kyverno.io/category: Workload Management
|
||||
policies.kyverno.io/description: By default, Kubernetes allows communications across
|
||||
all pods within a cluster. Network policies and, a CNI that supports network policies,
|
||||
must be used to restrict communinications. A default NetworkPolicy should be configured
|
||||
for each namespace to default deny all ingress traffic to the pods in the namespace.
|
||||
Application teams can then configure additional NetworkPolicy resources to allow
|
||||
desired traffic to application pods from select sources.
|
||||
policies.kyverno.io/description: By default, Kubernetes allows communications
|
||||
across all pods within a cluster. Network policies and, a CNI that supports
|
||||
network policies, must be used to restrict communinications. A default NetworkPolicy
|
||||
should be configured for each namespace to default deny all ingress traffic
|
||||
to the pods in the namespace. Application teams can then configure additional
|
||||
NetworkPolicy resources to allow desired traffic to application pods from select
|
||||
sources.
|
||||
name: cpol-data-sync-remove-list-element-cpol
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: cpol-data-sync-remove-list-element-rule
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
generate:
|
||||
- generate:
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
name: default-netpol
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
synchronize : true
|
||||
data:
|
||||
spec:
|
||||
# select all pods in the namespace
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
- Egress
|
||||
kind: NetworkPolicy
|
||||
name: default-netpol
|
||||
namespace: '{{request.object.metadata.name}}'
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
name: cpol-data-sync-remove-list-element-rule
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,26 +1,31 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-modify-policy
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: cpol-data-sync-modify-rule
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
names:
|
||||
- gemini-*
|
||||
generate:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
kind: ResourceQuota
|
||||
name: default-resourcequota
|
||||
synchronize: true
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
spec:
|
||||
hard:
|
||||
requests.cpu: '4'
|
||||
requests.memory: '16Gi'
|
||||
limits.cpu: '8'
|
||||
limits.memory: '16Gi'
|
||||
limits.cpu: "8"
|
||||
limits.memory: 16Gi
|
||||
requests.cpu: "4"
|
||||
requests.memory: 16Gi
|
||||
kind: ResourceQuota
|
||||
name: default-resourcequota
|
||||
namespace: '{{request.object.metadata.name}}'
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
names:
|
||||
- gemini-*
|
||||
name: cpol-data-sync-modify-rule
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,26 +1,31 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-modify-policy
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: cpol-data-sync-modify-rule
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
names:
|
||||
- gemini-*
|
||||
generate:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
kind: ResourceQuota
|
||||
name: default-resourcequota
|
||||
synchronize: true
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
spec:
|
||||
hard:
|
||||
requests.cpu: '4'
|
||||
requests.memory: '16Gi'
|
||||
limits.cpu: '9'
|
||||
limits.memory: '16Gi'
|
||||
limits.cpu: "9"
|
||||
limits.memory: 16Gi
|
||||
requests.cpu: "4"
|
||||
requests.memory: 16Gi
|
||||
kind: ResourceQuota
|
||||
name: default-resourcequota
|
||||
namespace: '{{request.object.metadata.name}}'
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
names:
|
||||
- gemini-*
|
||||
name: cpol-data-sync-modify-rule
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,17 +1,13 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: generate-update-rule-spec
|
||||
spec:
|
||||
generateExisting: false
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: k-kafka-address
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
- exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
|
@ -19,21 +15,29 @@ spec:
|
|||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
preconditions:
|
||||
- key: "{{request.operation}}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
generate:
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: default
|
||||
data:
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: default
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
name: k-kafka-address
|
||||
preconditions:
|
||||
all:
|
||||
- key: '{{request.operation}}'
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,37 +1,41 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: generate-update-rule-spec
|
||||
namespace: default
|
||||
spec:
|
||||
generateExisting: false
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: k-kafka-address
|
||||
- exclude:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- NetworkPolicy
|
||||
generate:
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: default
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Secret
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- NetworkPolicy
|
||||
name: k-kafka-address
|
||||
preconditions:
|
||||
- key: "{{request.operation}}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
generate:
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: default
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
all:
|
||||
- key: '{{request.operation}}'
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,19 +1,24 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-labels
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: add-labels
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- Service
|
||||
- ConfigMap
|
||||
- Secret
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- Service
|
||||
- ConfigMap
|
||||
- Secret
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
foo: bar
|
||||
name: add-labels
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,17 +1,21 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: advertise-resource
|
||||
spec:
|
||||
admission: true
|
||||
background: false
|
||||
rules:
|
||||
- name: advertise-resource
|
||||
match:
|
||||
resources:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Node/status
|
||||
mutate:
|
||||
patchesJson6902: |-
|
||||
- op: add
|
||||
path: "/status/capacity/example.com~1dongle"
|
||||
value: "4"
|
||||
- Node/status
|
||||
mutate:
|
||||
patchesJson6902: |-
|
||||
- op: add
|
||||
path: "/status/capacity/example.com~1dongle"
|
||||
value: "4"
|
||||
name: advertise-resource
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,32 +1,36 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-patchstrategicmerge-context-policy
|
||||
spec:
|
||||
admission: true
|
||||
background: false
|
||||
rules:
|
||||
- name: resolve-image-containers
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{request.operation}}"
|
||||
operator: In
|
||||
value:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
mutate:
|
||||
foreach:
|
||||
- list: "request.object.spec.containers"
|
||||
context:
|
||||
- name: dictionary
|
||||
configMap:
|
||||
name: foreach-patchstrategicmerge-context-configmap
|
||||
namespace: foreach-patchstrategicmerge-context-ns
|
||||
- context:
|
||||
- configMap:
|
||||
name: foreach-patchstrategicmerge-context-configmap
|
||||
namespace: foreach-patchstrategicmerge-context-ns
|
||||
name: dictionary
|
||||
list: request.object.spec.containers
|
||||
patchStrategicMerge:
|
||||
spec:
|
||||
containers:
|
||||
- name: "{{ element.name }}"
|
||||
image: "{{ dictionary.data.image }}"
|
||||
- image: '{{ dictionary.data.image }}'
|
||||
name: '{{ element.name }}'
|
||||
name: resolve-image-containers
|
||||
preconditions:
|
||||
all:
|
||||
- key: '{{request.operation}}'
|
||||
operator: AllIn
|
||||
value:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,22 +1,24 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate
|
||||
spec:
|
||||
validationFailureAction: Audit
|
||||
admission: false
|
||||
background: true
|
||||
rules:
|
||||
- name: mutate
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- Service
|
||||
- ConfigMap
|
||||
- Secret
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- Service
|
||||
- ConfigMap
|
||||
- Secret
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
foo: bar
|
||||
name: mutate
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,20 +1,20 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
policies.kyverno.io/category: Security
|
||||
policies.kyverno.io/description: 'This policy mutates any namespace-scoped Custom
|
||||
Resource Definition created by the subjects in the xteam Azure AD group
|
||||
and adds the label "createdByXteam: true".'
|
||||
Resource Definition created by the subjects in the xteam Azure AD group and
|
||||
adds the label "createdByXteam: true".'
|
||||
policies.kyverno.io/subject: RBAC
|
||||
policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad
|
||||
group
|
||||
policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad group
|
||||
policy.reporter.kyverno.io/minimal: minimal
|
||||
generation: 1
|
||||
labels:
|
||||
aws.cdk.eks/prune-c8b5941ff5f4fe911c5ee96472fda3d1f9866734a7: ""
|
||||
name: mutate-xteam-namespace-scoped-crds
|
||||
spec:
|
||||
admission: true
|
||||
background: false
|
||||
rules:
|
||||
- match:
|
||||
|
@ -22,9 +22,9 @@ spec:
|
|||
- resources:
|
||||
kinds:
|
||||
- CustomResourceDefinition
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: aad:9b9had99-6k66-2222-9999-8aadb888e888
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: aad:9b9had99-6k66-2222-9999-8aadb888e888
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
|
@ -39,4 +39,4 @@ spec:
|
|||
- key: '{{ request.object.spec.scope }}'
|
||||
operator: Equals
|
||||
value: Namespaced
|
||||
validationFailureAction: audit
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,22 +1,25 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: mutate
|
||||
namespace: default
|
||||
spec:
|
||||
validationFailureAction: Audit
|
||||
admission: false
|
||||
background: true
|
||||
rules:
|
||||
- name: mutate
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- Service
|
||||
- ConfigMap
|
||||
- Secret
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- Service
|
||||
- ConfigMap
|
||||
- Secret
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
foo: bar
|
||||
name: mutate
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,32 +1,35 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: preconditions
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
admission: true
|
||||
background: false
|
||||
rules:
|
||||
- name: test
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
context:
|
||||
- name: nothere
|
||||
apiCall:
|
||||
urlPath: /api/v1/namespaces/missing/configmaps/nothere
|
||||
preconditions:
|
||||
any:
|
||||
- key: "{{ request.name }}"
|
||||
operator: Equals
|
||||
value: test
|
||||
message: this pod is not allowed
|
||||
- key: "{{ nothere }}"
|
||||
operator: Equals
|
||||
value: hello
|
||||
message: value mismatch
|
||||
validate:
|
||||
pattern:
|
||||
metadata:
|
||||
name: "*"
|
||||
- context:
|
||||
- apiCall:
|
||||
method: GET
|
||||
urlPath: /api/v1/namespaces/missing/configmaps/nothere
|
||||
name: nothere
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: test
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{ request.name }}'
|
||||
message: this pod is not allowed
|
||||
operator: Equals
|
||||
value: test
|
||||
- key: '{{ nothere }}'
|
||||
message: value mismatch
|
||||
operator: Equals
|
||||
value: hello
|
||||
validate:
|
||||
pattern:
|
||||
metadata:
|
||||
name: '*'
|
||||
validationFailureAction: Enforce
|
||||
|
|
|
@ -1,35 +1,39 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-trustable-images
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: only-allow-trusted-images
|
||||
match:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: only-allow-trusted-images
|
||||
preconditions:
|
||||
- key: "{{request.operation}}"
|
||||
all:
|
||||
- key: '{{request.operation}}'
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
validate:
|
||||
message: "images with root user are not allowed"
|
||||
foreach:
|
||||
- list: "request.object.spec.containers"
|
||||
context:
|
||||
- name: imageData
|
||||
imageRegistry:
|
||||
reference: "{{ element.image }}"
|
||||
jmesPath: "{user: configData.config.User || '', registry: registry}"
|
||||
- context:
|
||||
- imageRegistry:
|
||||
jmesPath: '{user: configData.config.User || '''', registry: registry}'
|
||||
reference: '{{ element.image }}'
|
||||
name: imageData
|
||||
deny:
|
||||
conditions:
|
||||
all:
|
||||
- key: "{{ imageData.user }}"
|
||||
operator: Equals
|
||||
value: ""
|
||||
- key: "{{ imageData.registry }}"
|
||||
operator: NotEquals
|
||||
value: "ghcr.io"
|
||||
- key: '{{ imageData.user }}'
|
||||
operator: Equals
|
||||
value: ""
|
||||
- key: '{{ imageData.registry }}'
|
||||
operator: NotEquals
|
||||
value: ghcr.io
|
||||
list: request.object.spec.containers
|
||||
message: images with root user are not allowed
|
||||
validationFailureAction: Enforce
|
||||
|
|
|
@ -1,32 +1,39 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: keyed-basic-policy
|
||||
spec:
|
||||
validationFailureAction: enforce
|
||||
admission: true
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- name: keyed-basic-rule
|
||||
match:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: keyed-basic-rule
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- '*'
|
||||
attestors:
|
||||
- attestors:
|
||||
- entries:
|
||||
- keys:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
url: https://rekor.sigstore.dev
|
||||
signatureAlgorithm: sha256
|
||||
imageReferences:
|
||||
- '*'
|
||||
mutateDigest: true
|
||||
required: true
|
||||
useCache: true
|
||||
verifyDigest: true
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
|
@ -1,35 +1,42 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: tasks-keyless
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: verify-images
|
||||
- imageExtractors:
|
||||
Task:
|
||||
- path: /spec/steps/*/image
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- tekton.dev/v1beta1/Task
|
||||
name: verify-images
|
||||
preconditions:
|
||||
- key: "{{request.operation}}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
imageExtractors:
|
||||
Task:
|
||||
- path: /spec/steps/*/image
|
||||
all:
|
||||
- key: '{{request.operation}}'
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ghcr.io/*"
|
||||
attestors:
|
||||
- attestors:
|
||||
- count: 1
|
||||
entries:
|
||||
- keyless:
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
subject: "https://github.com/*"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
issuer: https://token.actions.githubusercontent.com
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
subject: https://github.com/*
|
||||
imageReferences:
|
||||
- ghcr.io/*
|
||||
mutateDigest: true
|
||||
required: true
|
||||
useCache: true
|
||||
verifyDigest: true
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
|
@ -1,30 +1,35 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: tasks-complex
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: verify-images
|
||||
- imageExtractors:
|
||||
Task:
|
||||
- key: name
|
||||
name: steps
|
||||
path: /spec/steps/*
|
||||
value: image
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- tekton.dev/v1beta1/Task
|
||||
name: verify-images
|
||||
preconditions:
|
||||
- key: "{{request.operation}}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
imageExtractors:
|
||||
Task:
|
||||
- path: /spec/steps/*
|
||||
name: steps
|
||||
value: image
|
||||
key: name
|
||||
all:
|
||||
- key: '{{request.operation}}'
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
verifyImages:
|
||||
- image: "*"
|
||||
key: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
- image: '*'
|
||||
key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END
|
||||
PUBLIC KEY----- "
|
||||
mutateDigest: true
|
||||
required: true
|
||||
useCache: true
|
||||
verifyDigest: true
|
||||
validationFailureAction: Enforce
|
||||
|
|
|
@ -1,24 +1,32 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: tasks-no-extractor
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: verify-images
|
||||
match:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- tekton.dev/v1beta1/Task
|
||||
name: verify-images
|
||||
preconditions:
|
||||
- key: "{{request.operation}}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
all:
|
||||
- key: '{{request.operation}}'
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
verifyImages:
|
||||
- image: "*"
|
||||
- image: '*'
|
||||
key: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
mutateDigest: true
|
||||
required: true
|
||||
useCache: true
|
||||
verifyDigest: true
|
||||
validationFailureAction: Enforce
|
||||
|
|
|
@ -1,27 +1,32 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: tasks-simple
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: verify-images
|
||||
- imageExtractors:
|
||||
Task:
|
||||
- path: /spec/steps/*/image
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- tekton.dev/v1beta1/Task
|
||||
name: verify-images
|
||||
preconditions:
|
||||
- key: "{{request.operation}}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
imageExtractors:
|
||||
Task:
|
||||
- path: /spec/steps/*/image
|
||||
all:
|
||||
- key: '{{request.operation}}'
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
verifyImages:
|
||||
- image: "*"
|
||||
key: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
- image: '*'
|
||||
key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END
|
||||
PUBLIC KEY----- "
|
||||
mutateDigest: true
|
||||
required: true
|
||||
useCache: true
|
||||
verifyDigest: true
|
||||
validationFailureAction: Enforce
|
||||
|
|
|
@ -4,26 +4,28 @@ kind: ClusterPolicy
|
|||
metadata:
|
||||
name: path-canonicalize
|
||||
spec:
|
||||
validationFailureAction: enforce
|
||||
admission: true
|
||||
background: false
|
||||
rules:
|
||||
- name: disallow-mount-containerd-sock
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: disallow-mount-containerd-sock
|
||||
validate:
|
||||
foreach:
|
||||
- list: "request.object.spec.volumes[]"
|
||||
deny:
|
||||
- deny:
|
||||
conditions:
|
||||
any:
|
||||
- key: "{{ path_canonicalize(element.hostPath.path) }}"
|
||||
- key: '{{ path_canonicalize(element.hostPath.path) }}'
|
||||
operator: Equals
|
||||
value: "/var/run/containerd/containerd.sock"
|
||||
- key: "{{ path_canonicalize(element.hostPath.path) }}"
|
||||
value: /var/run/containerd/containerd.sock
|
||||
- key: '{{ path_canonicalize(element.hostPath.path) }}'
|
||||
operator: Equals
|
||||
value: "/run/containerd/containerd.sock"
|
||||
- key: "{{ path_canonicalize(element.hostPath.path) }}"
|
||||
value: /run/containerd/containerd.sock
|
||||
- key: '{{ path_canonicalize(element.hostPath.path) }}'
|
||||
operator: Equals
|
||||
value: "\\var\\run\\containerd\\containerd.sock"
|
||||
value: \var\run\containerd\containerd.sock
|
||||
list: request.object.spec.volumes[]
|
||||
validationFailureAction: Enforce
|
||||
|
|
|
@ -1,16 +1,21 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-pod-disable-automoutingapicred
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: pod-disable-automoutingapicred
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
spec:
|
||||
(serviceAccountName): "*"
|
||||
automountServiceAccountToken: false
|
||||
(serviceAccountName): '*'
|
||||
automountServiceAccountToken: false
|
||||
name: pod-disable-automoutingapicred
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,34 +1,36 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: resolve-image
|
||||
spec:
|
||||
admission: true
|
||||
background: false
|
||||
rules:
|
||||
- name: resolve-image-containers
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{request.operation}}"
|
||||
operator: In
|
||||
value:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
mutate:
|
||||
foreach:
|
||||
- list: "request.object.spec.containers"
|
||||
context:
|
||||
- name: dictionary
|
||||
configMap:
|
||||
# Name of the ConfigMap which will be looked up
|
||||
name: some-config-map
|
||||
# Namespace in which this ConfigMap is stored
|
||||
namespace: some-namespace
|
||||
- context:
|
||||
- configMap:
|
||||
name: some-config-map
|
||||
namespace: some-namespace
|
||||
name: dictionary
|
||||
list: request.object.spec.containers
|
||||
patchStrategicMerge:
|
||||
spec:
|
||||
containers:
|
||||
- name: "{{ element.name }}"
|
||||
image: "{{ dictionary.data.image }}"
|
||||
- image: '{{ dictionary.data.image }}'
|
||||
name: '{{ element.name }}'
|
||||
name: resolve-image-containers
|
||||
preconditions:
|
||||
all:
|
||||
- key: '{{request.operation}}'
|
||||
operator: AllIn
|
||||
value:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,40 +1,45 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-cpu-memory
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: check-defined
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
name: check-defined
|
||||
validate:
|
||||
message: "Resource limits are required for CPU and memory"
|
||||
message: Resource limits are required for CPU and memory
|
||||
pattern:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: "?*"
|
||||
- name: ?*
|
||||
resources:
|
||||
limits:
|
||||
memory: "?*"
|
||||
cpu: "?*"
|
||||
|
||||
- name: check-cpu
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
cpu: ?*
|
||||
memory: ?*
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
name: check-cpu
|
||||
validate:
|
||||
message: "CPU request should be less than 4"
|
||||
message: CPU request should be less than 4
|
||||
pattern:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
- name: '*'
|
||||
resources:
|
||||
requests:
|
||||
cpu: "<4m"
|
||||
cpu: <4m
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,19 +1,24 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-host-path
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: check-host-path
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: check-host-path
|
||||
validate:
|
||||
message: "Host path is not allowed"
|
||||
message: Host path is not allowed
|
||||
pattern:
|
||||
spec:
|
||||
volumes:
|
||||
- name: "*"
|
||||
hostPath:
|
||||
- hostPath:
|
||||
path: ""
|
||||
name: '*'
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,22 +1,25 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: image-pull-policy
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: image-pull-policy
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
name: image-pull-policy
|
||||
validate:
|
||||
message: "Image tag ':latest' requires imagePullPolicy 'Always'"
|
||||
message: Image tag ':latest' requires imagePullPolicy 'Always'
|
||||
pattern:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
# select images which end with :latest
|
||||
- (image): "*latest"
|
||||
# require that the imagePullPolicy is "Always"
|
||||
- (image): '*latest'
|
||||
imagePullPolicy: Always
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,26 +1,27 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name : validation-example2
|
||||
spec :
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validation-example2
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: check-memory_requests_link_in_yaml
|
||||
match:
|
||||
resources:
|
||||
# Kind specifies one or more resource types to match
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
# Name is optional and can use wildcards
|
||||
name: "*"
|
||||
# Selector is optional
|
||||
selector:
|
||||
validate:
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
resources:
|
||||
requests:
|
||||
memory: "$(<=/spec/containers/0/resources/limits/memory)"
|
||||
limits:
|
||||
memory: "2048Mi"
|
||||
- Deployment
|
||||
name: '*'
|
||||
name: check-memory_requests_link_in_yaml
|
||||
validate:
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- name: '*'
|
||||
resources:
|
||||
limits:
|
||||
memory: 2048Mi
|
||||
requests:
|
||||
memory: $(<=/spec/containers/0/resources/limits/memory)
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,26 +1,27 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name : validation-example2
|
||||
spec :
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validation-example2
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: check-memory_requests_link_in_yaml_relative
|
||||
match:
|
||||
resources:
|
||||
# Kind specifies one or more resource types to match
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
# Name is optional and can use wildcards
|
||||
name: "*"
|
||||
# Selector is optional
|
||||
selector:
|
||||
validate:
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- (name): "*"
|
||||
resources:
|
||||
requests:
|
||||
memory: "$(<=./../../lim(its/mem)ory)"
|
||||
lim(its:
|
||||
mem)ory: "2048Mi"
|
||||
- Deployment
|
||||
name: '*'
|
||||
name: check-memory_requests_link_in_yaml_relative
|
||||
validate:
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- (name): '*'
|
||||
resources:
|
||||
lim(its:
|
||||
mem)ory: 2048Mi
|
||||
requests:
|
||||
memory: $(<=./../../lim(its/mem)ory)
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,34 +1,35 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-kernel
|
||||
annotations:
|
||||
policies.kyverno.io/title: Check Node for CVE-2022-0185
|
||||
policies.kyverno.io/category: Other
|
||||
policies.kyverno.io/severity: high
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.23"
|
||||
policies.kyverno.io/subject: Node
|
||||
policies.kyverno.io/description: >-
|
||||
Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched.
|
||||
The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2.
|
||||
For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185.
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/category: Other
|
||||
policies.kyverno.io/description: Linux CVE-2022-0185 can allow a container escape
|
||||
in Kubernetes if left unpatched. The affected Linux kernel versions, at this
|
||||
time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185.
|
||||
This policy runs in background mode and flags an entry in the ClusterPolicyReport
|
||||
if any Node is reporting one of the affected kernel versions.
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
policies.kyverno.io/severity: high
|
||||
policies.kyverno.io/subject: Node
|
||||
policies.kyverno.io/title: Check Node for CVE-2022-0185
|
||||
name: check-kernel
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: kernel-validate
|
||||
match:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Node
|
||||
- Node
|
||||
name: kernel-validate
|
||||
validate:
|
||||
message: "Kernel is vulnerable to CVE-2022-0185."
|
||||
message: Kernel is vulnerable to CVE-2022-0185.
|
||||
pattern:
|
||||
status:
|
||||
nodeInfo:
|
||||
kernelVersion: "!5.10.84-1 & !5.15.5-2"
|
||||
kernelVersion: '!5.10.84-1 & !5.15.5-2'
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,16 +1,21 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-node-port
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: check-node-port
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Service
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Service
|
||||
name: check-node-port
|
||||
validate:
|
||||
message: "NodePort type is not allowed"
|
||||
message: NodePort type is not allowed
|
||||
pattern:
|
||||
spec:
|
||||
type: "!NodePort"
|
||||
type: '!NodePort'
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,21 +1,26 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
name : check-non-root
|
||||
spec :
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-non-root
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: check-non-root
|
||||
match:
|
||||
resources:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
- StatefuleSet
|
||||
- DaemonSet
|
||||
validate:
|
||||
message: "Root user is not allowed"
|
||||
pattern:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
name: check-non-root
|
||||
validate:
|
||||
message: Root user is not allowed
|
||||
pattern:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,36 +1,42 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-probe-exists
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: check-liveness-probe-exists
|
||||
match:
|
||||
resources:
|
||||
kinds :
|
||||
- StatefulSet
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- StatefulSet
|
||||
name: check-liveness-probe-exists
|
||||
validate:
|
||||
message: "a livenessProbe is required"
|
||||
message: a livenessProbe is required
|
||||
pattern:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
livenessProbe:
|
||||
periodSeconds: ">0"
|
||||
- name: check-readiness-probe-exists
|
||||
match:
|
||||
resources:
|
||||
kinds :
|
||||
- StatefulSet
|
||||
- livenessProbe:
|
||||
periodSeconds: '>0'
|
||||
name: '*'
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- StatefulSet
|
||||
name: check-readiness-probe-exists
|
||||
validate:
|
||||
message: "a readinessProbe is required"
|
||||
message: a readinessProbe is required
|
||||
pattern:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
- name: '*'
|
||||
readinessProbe:
|
||||
periodSeconds: ">0"
|
||||
periodSeconds: '>0'
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,36 +1,42 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
kind : ClusterPolicy
|
||||
metadata :
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-probe-intervals
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: check-probe-intervals
|
||||
match:
|
||||
resources:
|
||||
kinds :
|
||||
- Deployment
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
name: check-probe-intervals
|
||||
validate:
|
||||
message: "livenessProbe must be > 10s"
|
||||
message: livenessProbe must be > 10s
|
||||
pattern:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
livenessProbe:
|
||||
periodSeconds: ">10"
|
||||
- name: check-probe-intervals
|
||||
match:
|
||||
resources:
|
||||
kinds :
|
||||
- Deployment
|
||||
- livenessProbe:
|
||||
periodSeconds: '>10'
|
||||
name: '*'
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
name: check-probe-intervals
|
||||
validate:
|
||||
message: "readinessProbe must be > 10s"
|
||||
message: readinessProbe must be > 10s
|
||||
pattern:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
readinessProbe:
|
||||
periodSeconds: ">10"
|
||||
- name: '*'
|
||||
readinessProbe:
|
||||
periodSeconds: '>10'
|
||||
validationFailureAction: Audit
|
||||
|
|
|
@ -1,22 +1,26 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-registries
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
rules:
|
||||
- name: check-registries
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
- StatefulSet
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
- StatefulSet
|
||||
name: check-registries
|
||||
validate:
|
||||
message: "Registry is not allowed"
|
||||
message: Registry is not allowed
|
||||
pattern:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
# Check allowed registries
|
||||
image: "*/nirmata/* | https://private.registry.io/*"
|
||||
- image: '*/nirmata/* | https://private.registry.io/*'
|
||||
name: '*'
|
||||
validationFailureAction: Audit
|
||||
|
|
Loading…
Reference in a new issue