mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
chore: fix policies (#8449)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
f9c85f447d
commit
6a43ec4bcf
42 changed files with 820 additions and 637 deletions
4
Makefile
4
Makefile
|
@ -547,12 +547,12 @@ codegen-docs-all: codegen-helm-docs codegen-cli-docs codegen-api-docs ## Genera
|
||||||
.PHONY: codegen-fix-tests
|
.PHONY: codegen-fix-tests
|
||||||
codegen-fix-tests: $(CLI_BIN) ## Fix CLI test files
|
codegen-fix-tests: $(CLI_BIN) ## Fix CLI test files
|
||||||
@echo Fix CLI test files... >&2
|
@echo Fix CLI test files... >&2
|
||||||
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix test ./test/cli --save --compress --force
|
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix test . --save --compress --force
|
||||||
|
|
||||||
.PHONY: codegen-fix-policies
|
.PHONY: codegen-fix-policies
|
||||||
codegen-fix-policies: $(CLI_BIN) ## Fix CLI policy files
|
codegen-fix-policies: $(CLI_BIN) ## Fix CLI policy files
|
||||||
@echo Fix CLI policy files... >&2
|
@echo Fix CLI policy files... >&2
|
||||||
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix policy ./test/cli/test --save
|
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix policy . --save
|
||||||
|
|
||||||
.PHONY: codegen-cli-all
|
.PHONY: codegen-cli-all
|
||||||
codegen-cli-all: codegen-cli-crds codegen-cli-docs codegen-cli-api-docs codegen-fix-tests ## Generate all CLI related code and docs
|
codegen-cli-all: codegen-cli-crds codegen-cli-docs codegen-cli-api-docs codegen-fix-tests ## Generate all CLI related code and docs
|
||||||
|
|
|
@ -1,4 +1,7 @@
|
||||||
name: test-registry
|
apiVersion: cli.kyverno.io/v1alpha1
|
||||||
|
kind: Test
|
||||||
|
metadata:
|
||||||
|
name: test-registry
|
||||||
policies:
|
policies:
|
||||||
- image-example.yaml
|
- image-example.yaml
|
||||||
resources:
|
resources:
|
||||||
|
@ -8,11 +11,6 @@ results:
|
||||||
policy: images
|
policy: images
|
||||||
resources:
|
resources:
|
||||||
- test-pod-with-non-root-user-image
|
- test-pod-with-non-root-user-image
|
||||||
result: pass
|
|
||||||
rule: only-allow-trusted-images
|
|
||||||
- kind: Pod
|
|
||||||
policy: images
|
|
||||||
resources:
|
|
||||||
- test-pod-with-trusted-registry
|
- test-pod-with-trusted-registry
|
||||||
result: pass
|
result: pass
|
||||||
rule: only-allow-trusted-images
|
rule: only-allow-trusted-images
|
||||||
|
|
|
@ -1,16 +1,12 @@
|
||||||
name: add-quota
|
apiVersion: cli.kyverno.io/v1alpha1
|
||||||
|
kind: Test
|
||||||
|
metadata:
|
||||||
|
name: add-quota
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- generatedResource: generatedResourceQuota.yaml
|
|
||||||
kind: Namespace
|
|
||||||
policy: add-ns-quota
|
|
||||||
resources:
|
|
||||||
- hello-world-namespace
|
|
||||||
result: pass
|
|
||||||
rule: generate-resourcequota
|
|
||||||
- generatedResource: generatedLimitRange.yaml
|
- generatedResource: generatedLimitRange.yaml
|
||||||
kind: Namespace
|
kind: Namespace
|
||||||
policy: add-ns-quota
|
policy: add-ns-quota
|
||||||
|
@ -18,3 +14,10 @@ results:
|
||||||
- hello-world-namespace
|
- hello-world-namespace
|
||||||
result: pass
|
result: pass
|
||||||
rule: generate-limitrange
|
rule: generate-limitrange
|
||||||
|
- generatedResource: generatedResourceQuota.yaml
|
||||||
|
kind: Namespace
|
||||||
|
policy: add-ns-quota
|
||||||
|
resources:
|
||||||
|
- hello-world-namespace
|
||||||
|
result: pass
|
||||||
|
rule: generate-resourcequota
|
||||||
|
|
|
@ -107,6 +107,18 @@ func (o options) processFile(out io.Writer, path string) {
|
||||||
rule := rule.(map[string]interface{})
|
rule := rule.(map[string]interface{})
|
||||||
unstructured.RemoveNestedField(rule, "exclude", "resources")
|
unstructured.RemoveNestedField(rule, "exclude", "resources")
|
||||||
unstructured.RemoveNestedField(rule, "match", "resources")
|
unstructured.RemoveNestedField(rule, "match", "resources")
|
||||||
|
if any, ok, err := unstructured.NestedFieldNoCopy(rule, "match", "any"); ok && err == nil {
|
||||||
|
cleanResourceFilters(any.([]interface{}))
|
||||||
|
}
|
||||||
|
if all, ok, err := unstructured.NestedFieldNoCopy(rule, "match", "all"); ok && err == nil {
|
||||||
|
cleanResourceFilters(all.([]interface{}))
|
||||||
|
}
|
||||||
|
if any, ok, err := unstructured.NestedFieldNoCopy(rule, "exclude", "any"); ok && err == nil {
|
||||||
|
cleanResourceFilters(any.([]interface{}))
|
||||||
|
}
|
||||||
|
if all, ok, err := unstructured.NestedFieldNoCopy(rule, "exclude", "all"); ok && err == nil {
|
||||||
|
cleanResourceFilters(all.([]interface{}))
|
||||||
|
}
|
||||||
if item, _, _ := unstructured.NestedMap(rule, "generate", "clone"); len(item) == 0 {
|
if item, _, _ := unstructured.NestedMap(rule, "generate", "clone"); len(item) == 0 {
|
||||||
unstructured.RemoveNestedField(rule, "generate", "clone")
|
unstructured.RemoveNestedField(rule, "generate", "clone")
|
||||||
}
|
}
|
||||||
|
@ -165,3 +177,12 @@ func (o options) processFile(out io.Writer, path string) {
|
||||||
fmt.Fprintln(out, " OK")
|
fmt.Fprintln(out, " OK")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func cleanResourceFilters(rf []interface{}) {
|
||||||
|
for _, f := range rf {
|
||||||
|
a := f.(map[string]interface{})
|
||||||
|
if item, _, _ := unstructured.NestedMap(a, "resources"); len(item) == 0 {
|
||||||
|
unstructured.RemoveNestedField(a, "resources")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -10,6 +10,8 @@ import (
|
||||||
"github.com/go-git/go-billy/v5/memfs"
|
"github.com/go-git/go-billy/v5/memfs"
|
||||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/v1alpha1"
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/v1alpha1"
|
||||||
|
"gotest.tools/assert"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestLoadTests(t *testing.T) {
|
func TestLoadTests(t *testing.T) {
|
||||||
|
@ -47,7 +49,13 @@ func TestLoadTests(t *testing.T) {
|
||||||
want: []TestCase{{
|
want: []TestCase{{
|
||||||
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
||||||
Test: &v1alpha1.Test{
|
Test: &v1alpha1.Test{
|
||||||
Name: "test-registry",
|
TypeMeta: metav1.TypeMeta{
|
||||||
|
APIVersion: "cli.kyverno.io/v1alpha1",
|
||||||
|
Kind: "Test",
|
||||||
|
},
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "test-registry",
|
||||||
|
},
|
||||||
Policies: []string{"image-example.yaml"},
|
Policies: []string{"image-example.yaml"},
|
||||||
Resources: []string{"resources.yaml"},
|
Resources: []string{"resources.yaml"},
|
||||||
Results: []v1alpha1.TestResult{{
|
Results: []v1alpha1.TestResult{{
|
||||||
|
@ -57,15 +65,10 @@ func TestLoadTests(t *testing.T) {
|
||||||
Result: policyreportv1alpha2.StatusPass,
|
Result: policyreportv1alpha2.StatusPass,
|
||||||
Rule: "only-allow-trusted-images",
|
Rule: "only-allow-trusted-images",
|
||||||
},
|
},
|
||||||
Resources: []string{"test-pod-with-non-root-user-image"},
|
Resources: []string{
|
||||||
}, {
|
"test-pod-with-non-root-user-image",
|
||||||
TestResultBase: v1alpha1.TestResultBase{
|
"test-pod-with-trusted-registry",
|
||||||
Kind: "Pod",
|
|
||||||
Policy: "images",
|
|
||||||
Result: policyreportv1alpha2.StatusPass,
|
|
||||||
Rule: "only-allow-trusted-images",
|
|
||||||
},
|
},
|
||||||
Resources: []string{"test-pod-with-trusted-registry"},
|
|
||||||
}},
|
}},
|
||||||
},
|
},
|
||||||
}},
|
}},
|
||||||
|
@ -77,7 +80,13 @@ func TestLoadTests(t *testing.T) {
|
||||||
want: []TestCase{{
|
want: []TestCase{{
|
||||||
Path: "../_testdata/tests/test-2/kyverno-test.yaml",
|
Path: "../_testdata/tests/test-2/kyverno-test.yaml",
|
||||||
Test: &v1alpha1.Test{
|
Test: &v1alpha1.Test{
|
||||||
Name: "add-quota",
|
TypeMeta: metav1.TypeMeta{
|
||||||
|
APIVersion: "cli.kyverno.io/v1alpha1",
|
||||||
|
Kind: "Test",
|
||||||
|
},
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "add-quota",
|
||||||
|
},
|
||||||
Policies: []string{"policy.yaml"},
|
Policies: []string{"policy.yaml"},
|
||||||
Resources: []string{"resource.yaml"},
|
Resources: []string{"resource.yaml"},
|
||||||
Results: []v1alpha1.TestResult{{
|
Results: []v1alpha1.TestResult{{
|
||||||
|
@ -85,8 +94,8 @@ func TestLoadTests(t *testing.T) {
|
||||||
Kind: "Namespace",
|
Kind: "Namespace",
|
||||||
Policy: "add-ns-quota",
|
Policy: "add-ns-quota",
|
||||||
Result: policyreportv1alpha2.StatusPass,
|
Result: policyreportv1alpha2.StatusPass,
|
||||||
Rule: "generate-resourcequota",
|
Rule: "generate-limitrange",
|
||||||
GeneratedResource: "generatedResourceQuota.yaml",
|
GeneratedResource: "generatedLimitRange.yaml",
|
||||||
},
|
},
|
||||||
Resources: []string{"hello-world-namespace"},
|
Resources: []string{"hello-world-namespace"},
|
||||||
}, {
|
}, {
|
||||||
|
@ -94,8 +103,8 @@ func TestLoadTests(t *testing.T) {
|
||||||
Kind: "Namespace",
|
Kind: "Namespace",
|
||||||
Policy: "add-ns-quota",
|
Policy: "add-ns-quota",
|
||||||
Result: policyreportv1alpha2.StatusPass,
|
Result: policyreportv1alpha2.StatusPass,
|
||||||
Rule: "generate-limitrange",
|
Rule: "generate-resourcequota",
|
||||||
GeneratedResource: "generatedLimitRange.yaml",
|
GeneratedResource: "generatedResourceQuota.yaml",
|
||||||
},
|
},
|
||||||
Resources: []string{"hello-world-namespace"},
|
Resources: []string{"hello-world-namespace"},
|
||||||
}},
|
}},
|
||||||
|
@ -109,7 +118,13 @@ func TestLoadTests(t *testing.T) {
|
||||||
want: []TestCase{{
|
want: []TestCase{{
|
||||||
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
||||||
Test: &v1alpha1.Test{
|
Test: &v1alpha1.Test{
|
||||||
Name: "test-registry",
|
TypeMeta: metav1.TypeMeta{
|
||||||
|
APIVersion: "cli.kyverno.io/v1alpha1",
|
||||||
|
Kind: "Test",
|
||||||
|
},
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "test-registry",
|
||||||
|
},
|
||||||
Policies: []string{"image-example.yaml"},
|
Policies: []string{"image-example.yaml"},
|
||||||
Resources: []string{"resources.yaml"},
|
Resources: []string{"resources.yaml"},
|
||||||
Results: []v1alpha1.TestResult{{
|
Results: []v1alpha1.TestResult{{
|
||||||
|
@ -119,21 +134,22 @@ func TestLoadTests(t *testing.T) {
|
||||||
Result: policyreportv1alpha2.StatusPass,
|
Result: policyreportv1alpha2.StatusPass,
|
||||||
Rule: "only-allow-trusted-images",
|
Rule: "only-allow-trusted-images",
|
||||||
},
|
},
|
||||||
Resources: []string{"test-pod-with-non-root-user-image"},
|
Resources: []string{
|
||||||
}, {
|
"test-pod-with-non-root-user-image",
|
||||||
TestResultBase: v1alpha1.TestResultBase{
|
"test-pod-with-trusted-registry",
|
||||||
Kind: "Pod",
|
|
||||||
Policy: "images",
|
|
||||||
Result: policyreportv1alpha2.StatusPass,
|
|
||||||
Rule: "only-allow-trusted-images",
|
|
||||||
},
|
},
|
||||||
Resources: []string{"test-pod-with-trusted-registry"},
|
|
||||||
}},
|
}},
|
||||||
},
|
},
|
||||||
}, {
|
}, {
|
||||||
Path: "../_testdata/tests/test-2/kyverno-test.yaml",
|
Path: "../_testdata/tests/test-2/kyverno-test.yaml",
|
||||||
Test: &v1alpha1.Test{
|
Test: &v1alpha1.Test{
|
||||||
Name: "add-quota",
|
TypeMeta: metav1.TypeMeta{
|
||||||
|
APIVersion: "cli.kyverno.io/v1alpha1",
|
||||||
|
Kind: "Test",
|
||||||
|
},
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "add-quota",
|
||||||
|
},
|
||||||
Policies: []string{"policy.yaml"},
|
Policies: []string{"policy.yaml"},
|
||||||
Resources: []string{"resource.yaml"},
|
Resources: []string{"resource.yaml"},
|
||||||
Results: []v1alpha1.TestResult{{
|
Results: []v1alpha1.TestResult{{
|
||||||
|
@ -141,8 +157,8 @@ func TestLoadTests(t *testing.T) {
|
||||||
Kind: "Namespace",
|
Kind: "Namespace",
|
||||||
Policy: "add-ns-quota",
|
Policy: "add-ns-quota",
|
||||||
Result: policyreportv1alpha2.StatusPass,
|
Result: policyreportv1alpha2.StatusPass,
|
||||||
Rule: "generate-resourcequota",
|
Rule: "generate-limitrange",
|
||||||
GeneratedResource: "generatedResourceQuota.yaml",
|
GeneratedResource: "generatedLimitRange.yaml",
|
||||||
},
|
},
|
||||||
Resources: []string{"hello-world-namespace"},
|
Resources: []string{"hello-world-namespace"},
|
||||||
}, {
|
}, {
|
||||||
|
@ -150,8 +166,8 @@ func TestLoadTests(t *testing.T) {
|
||||||
Kind: "Namespace",
|
Kind: "Namespace",
|
||||||
Policy: "add-ns-quota",
|
Policy: "add-ns-quota",
|
||||||
Result: policyreportv1alpha2.StatusPass,
|
Result: policyreportv1alpha2.StatusPass,
|
||||||
Rule: "generate-limitrange",
|
Rule: "generate-resourcequota",
|
||||||
GeneratedResource: "generatedLimitRange.yaml",
|
GeneratedResource: "generatedResourceQuota.yaml",
|
||||||
},
|
},
|
||||||
Resources: []string{"hello-world-namespace"},
|
Resources: []string{"hello-world-namespace"},
|
||||||
}},
|
}},
|
||||||
|
@ -198,7 +214,13 @@ func TestLoadTest(t *testing.T) {
|
||||||
want: TestCase{
|
want: TestCase{
|
||||||
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
||||||
Test: &v1alpha1.Test{
|
Test: &v1alpha1.Test{
|
||||||
Name: "test-registry",
|
TypeMeta: metav1.TypeMeta{
|
||||||
|
APIVersion: "cli.kyverno.io/v1alpha1",
|
||||||
|
Kind: "Test",
|
||||||
|
},
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "test-registry",
|
||||||
|
},
|
||||||
Policies: []string{"image-example.yaml"},
|
Policies: []string{"image-example.yaml"},
|
||||||
Resources: []string{"resources.yaml"},
|
Resources: []string{"resources.yaml"},
|
||||||
Results: []v1alpha1.TestResult{{
|
Results: []v1alpha1.TestResult{{
|
||||||
|
@ -208,15 +230,10 @@ func TestLoadTest(t *testing.T) {
|
||||||
Result: policyreportv1alpha2.StatusPass,
|
Result: policyreportv1alpha2.StatusPass,
|
||||||
Rule: "only-allow-trusted-images",
|
Rule: "only-allow-trusted-images",
|
||||||
},
|
},
|
||||||
Resources: []string{"test-pod-with-non-root-user-image"},
|
Resources: []string{
|
||||||
}, {
|
"test-pod-with-non-root-user-image",
|
||||||
TestResultBase: v1alpha1.TestResultBase{
|
"test-pod-with-trusted-registry",
|
||||||
Kind: "Pod",
|
|
||||||
Policy: "images",
|
|
||||||
Result: policyreportv1alpha2.StatusPass,
|
|
||||||
Rule: "only-allow-trusted-images",
|
|
||||||
},
|
},
|
||||||
Resources: []string{"test-pod-with-trusted-registry"},
|
|
||||||
}},
|
}},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -226,7 +243,13 @@ func TestLoadTest(t *testing.T) {
|
||||||
want: TestCase{
|
want: TestCase{
|
||||||
Path: "kyverno-test.yaml",
|
Path: "kyverno-test.yaml",
|
||||||
Test: &v1alpha1.Test{
|
Test: &v1alpha1.Test{
|
||||||
Name: "test-registry",
|
TypeMeta: metav1.TypeMeta{
|
||||||
|
APIVersion: "cli.kyverno.io/v1alpha1",
|
||||||
|
Kind: "Test",
|
||||||
|
},
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "test-registry",
|
||||||
|
},
|
||||||
Policies: []string{"image-example.yaml"},
|
Policies: []string{"image-example.yaml"},
|
||||||
Resources: []string{"resources.yaml"},
|
Resources: []string{"resources.yaml"},
|
||||||
Results: []v1alpha1.TestResult{{
|
Results: []v1alpha1.TestResult{{
|
||||||
|
@ -236,15 +259,10 @@ func TestLoadTest(t *testing.T) {
|
||||||
Result: policyreportv1alpha2.StatusPass,
|
Result: policyreportv1alpha2.StatusPass,
|
||||||
Rule: "only-allow-trusted-images",
|
Rule: "only-allow-trusted-images",
|
||||||
},
|
},
|
||||||
Resources: []string{"test-pod-with-non-root-user-image"},
|
Resources: []string{
|
||||||
}, {
|
"test-pod-with-non-root-user-image",
|
||||||
TestResultBase: v1alpha1.TestResultBase{
|
"test-pod-with-trusted-registry",
|
||||||
Kind: "Pod",
|
|
||||||
Policy: "images",
|
|
||||||
Result: policyreportv1alpha2.StatusPass,
|
|
||||||
Rule: "only-allow-trusted-images",
|
|
||||||
},
|
},
|
||||||
Resources: []string{"test-pod-with-trusted-registry"},
|
|
||||||
}},
|
}},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -288,10 +306,9 @@ func TestLoadTest(t *testing.T) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
got.Err = nil
|
got.Err = nil
|
||||||
tt.want.Fs = tt.fs
|
tt.want.Fs = nil
|
||||||
if !reflect.DeepEqual(got, tt.want) {
|
got.Fs = nil
|
||||||
t.Errorf("LoadTest() = %v, want %v", got, tt.want)
|
assert.DeepEqual(t, tt.want, got)
|
||||||
}
|
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,20 +1,24 @@
|
||||||
# A file with no reserved name "assert" or "errors" will be created with the below contents. Can be multiple YAML docs in the same file.
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: add-labels
|
name: add-labels
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: add-labels
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
- Service
|
- Service
|
||||||
- ConfigMap
|
- ConfigMap
|
||||||
- Secret
|
- Secret
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
foo: bar
|
foo: bar
|
||||||
|
name: add-labels
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,19 +1,24 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: add-labels
|
name: add-labels
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: add-labels
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
- Service
|
- Service
|
||||||
- ConfigMap
|
- ConfigMap
|
||||||
- Secret
|
- Secret
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
foo: bar
|
foo: bar
|
||||||
|
name: add-labels
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,13 +1,16 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: testcase-7fki3
|
name: testcase-7fki3
|
||||||
spec:
|
spec:
|
||||||
schemaValidation: false
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
validationFailureAction: Enforce
|
|
||||||
rules:
|
rules:
|
||||||
- name: mutate1
|
- context:
|
||||||
|
- name: var1
|
||||||
|
variable:
|
||||||
|
value: AAA
|
||||||
match:
|
match:
|
||||||
all:
|
all:
|
||||||
- resources:
|
- resources:
|
||||||
|
@ -15,31 +18,27 @@ spec:
|
||||||
- v1/ConfigMap
|
- v1/ConfigMap
|
||||||
names:
|
names:
|
||||||
- testcase-7fki3-resource
|
- testcase-7fki3-resource
|
||||||
context:
|
mutate:
|
||||||
- name: var1
|
foreach:
|
||||||
variable:
|
- list: '[''dummy'']'
|
||||||
value: AAA
|
patchStrategicMerge:
|
||||||
|
data:
|
||||||
|
from_loop_1: '{{ var1 || ''!!!variable not resolved!!!'' }}'
|
||||||
|
- list: '[''dummy'']'
|
||||||
|
patchStrategicMerge:
|
||||||
|
data:
|
||||||
|
from_loop_2: '{{ var1 || ''!!!variable not resolved!!!'' }}'
|
||||||
|
- list: '[''dummy'']'
|
||||||
|
patchStrategicMerge:
|
||||||
|
data:
|
||||||
|
from_loop_3: '{{ var1 || ''!!!variable not resolved!!!'' }}'
|
||||||
|
name: mutate1
|
||||||
preconditions:
|
preconditions:
|
||||||
all:
|
all:
|
||||||
- key: "{{ request.operation }}"
|
- key: '{{ request.operation }}'
|
||||||
operator: In
|
operator: AllIn
|
||||||
value:
|
value:
|
||||||
- CREATE
|
- CREATE
|
||||||
- UPDATE
|
- UPDATE
|
||||||
mutate:
|
schemaValidation: false
|
||||||
foreach:
|
validationFailureAction: Enforce
|
||||||
# first loop
|
|
||||||
- list: "['dummy']"
|
|
||||||
patchStrategicMerge:
|
|
||||||
data:
|
|
||||||
from_loop_1: "{{ var1 || '!!!variable not resolved!!!' }}"
|
|
||||||
# second loop
|
|
||||||
- list: "['dummy']"
|
|
||||||
patchStrategicMerge:
|
|
||||||
data:
|
|
||||||
from_loop_2: "{{ var1 || '!!!variable not resolved!!!' }}"
|
|
||||||
# third loop
|
|
||||||
- list: "['dummy']"
|
|
||||||
patchStrategicMerge:
|
|
||||||
data:
|
|
||||||
from_loop_3: "{{ var1 || '!!!variable not resolved!!!' }}"
|
|
||||||
|
|
|
@ -1,29 +1,31 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: disallow-latest-tag-events-creation
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/title: Disallow Latest Tag
|
|
||||||
policies.kyverno.io/category: Best Practices
|
policies.kyverno.io/category: Best Practices
|
||||||
|
policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead
|
||||||
|
to unexpected errors if the image changes. A best practice is to use an immutable
|
||||||
|
tag that maps to a specific version of an application Pod. This policy validates
|
||||||
|
that the image specifies a tag and that it is not called `latest`. '
|
||||||
policies.kyverno.io/severity: medium
|
policies.kyverno.io/severity: medium
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/title: Disallow Latest Tag
|
||||||
The ':latest' tag is mutable and can lead to unexpected errors if the
|
name: disallow-latest-tag-events-creation
|
||||||
image changes. A best practice is to use an immutable tag that maps to
|
|
||||||
a specific version of an application Pod. This policy validates that the image
|
|
||||||
specifies a tag and that it is not called `latest`.
|
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: Enforce
|
admission: true
|
||||||
background: true
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-image-tag
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-image-tag
|
||||||
validate:
|
validate:
|
||||||
message: "An image tag is required (:latest is not allowed)"
|
message: An image tag is required (:latest is not allowed)
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- image: "!*:latest & *:*"
|
- image: '!*:latest & *:*'
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
|
|
@ -1,32 +1,36 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: cpol-data-sync-remove-list-element-cpol
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Workload Management
|
policies.kyverno.io/category: Workload Management
|
||||||
policies.kyverno.io/description: By default, Kubernetes allows communications across
|
policies.kyverno.io/description: By default, Kubernetes allows communications
|
||||||
all pods within a cluster. Network policies and, a CNI that supports network policies,
|
across all pods within a cluster. Network policies and, a CNI that supports
|
||||||
must be used to restrict communinications. A default NetworkPolicy should be configured
|
network policies, must be used to restrict communinications. A default NetworkPolicy
|
||||||
for each namespace to default deny all ingress traffic to the pods in the namespace.
|
should be configured for each namespace to default deny all ingress traffic
|
||||||
Application teams can then configure additional NetworkPolicy resources to allow
|
to the pods in the namespace. Application teams can then configure additional
|
||||||
desired traffic to application pods from select sources.
|
NetworkPolicy resources to allow desired traffic to application pods from select
|
||||||
|
sources.
|
||||||
|
name: cpol-data-sync-remove-list-element-cpol
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: cpol-data-sync-remove-list-element-rule
|
- generate:
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Namespace
|
|
||||||
generate:
|
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: networking.k8s.io/v1
|
||||||
kind: NetworkPolicy
|
|
||||||
name: default-netpol
|
|
||||||
namespace: "{{request.object.metadata.name}}"
|
|
||||||
synchronize : true
|
|
||||||
data:
|
data:
|
||||||
spec:
|
spec:
|
||||||
# select all pods in the namespace
|
|
||||||
podSelector: {}
|
podSelector: {}
|
||||||
policyTypes:
|
policyTypes:
|
||||||
- Ingress
|
- Ingress
|
||||||
|
kind: NetworkPolicy
|
||||||
|
name: default-netpol
|
||||||
|
namespace: '{{request.object.metadata.name}}'
|
||||||
|
synchronize: true
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Namespace
|
||||||
|
name: cpol-data-sync-remove-list-element-rule
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,33 +1,37 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: cpol-data-sync-remove-list-element-cpol
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Workload Management
|
policies.kyverno.io/category: Workload Management
|
||||||
policies.kyverno.io/description: By default, Kubernetes allows communications across
|
policies.kyverno.io/description: By default, Kubernetes allows communications
|
||||||
all pods within a cluster. Network policies and, a CNI that supports network policies,
|
across all pods within a cluster. Network policies and, a CNI that supports
|
||||||
must be used to restrict communinications. A default NetworkPolicy should be configured
|
network policies, must be used to restrict communinications. A default NetworkPolicy
|
||||||
for each namespace to default deny all ingress traffic to the pods in the namespace.
|
should be configured for each namespace to default deny all ingress traffic
|
||||||
Application teams can then configure additional NetworkPolicy resources to allow
|
to the pods in the namespace. Application teams can then configure additional
|
||||||
desired traffic to application pods from select sources.
|
NetworkPolicy resources to allow desired traffic to application pods from select
|
||||||
|
sources.
|
||||||
|
name: cpol-data-sync-remove-list-element-cpol
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: cpol-data-sync-remove-list-element-rule
|
- generate:
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Namespace
|
|
||||||
generate:
|
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: networking.k8s.io/v1
|
||||||
kind: NetworkPolicy
|
|
||||||
name: default-netpol
|
|
||||||
namespace: "{{request.object.metadata.name}}"
|
|
||||||
synchronize : true
|
|
||||||
data:
|
data:
|
||||||
spec:
|
spec:
|
||||||
# select all pods in the namespace
|
|
||||||
podSelector: {}
|
podSelector: {}
|
||||||
policyTypes:
|
policyTypes:
|
||||||
- Ingress
|
- Ingress
|
||||||
- Egress
|
- Egress
|
||||||
|
kind: NetworkPolicy
|
||||||
|
name: default-netpol
|
||||||
|
namespace: '{{request.object.metadata.name}}'
|
||||||
|
synchronize: true
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Namespace
|
||||||
|
name: cpol-data-sync-remove-list-element-rule
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,26 +1,31 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: cpol-data-sync-modify-policy
|
name: cpol-data-sync-modify-policy
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: cpol-data-sync-modify-rule
|
- generate:
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Namespace
|
|
||||||
names:
|
|
||||||
- gemini-*
|
|
||||||
generate:
|
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ResourceQuota
|
|
||||||
name: default-resourcequota
|
|
||||||
synchronize: true
|
|
||||||
namespace: "{{request.object.metadata.name}}"
|
|
||||||
data:
|
data:
|
||||||
spec:
|
spec:
|
||||||
hard:
|
hard:
|
||||||
requests.cpu: '4'
|
limits.cpu: "8"
|
||||||
requests.memory: '16Gi'
|
limits.memory: 16Gi
|
||||||
limits.cpu: '8'
|
requests.cpu: "4"
|
||||||
limits.memory: '16Gi'
|
requests.memory: 16Gi
|
||||||
|
kind: ResourceQuota
|
||||||
|
name: default-resourcequota
|
||||||
|
namespace: '{{request.object.metadata.name}}'
|
||||||
|
synchronize: true
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Namespace
|
||||||
|
names:
|
||||||
|
- gemini-*
|
||||||
|
name: cpol-data-sync-modify-rule
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,26 +1,31 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: cpol-data-sync-modify-policy
|
name: cpol-data-sync-modify-policy
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: cpol-data-sync-modify-rule
|
- generate:
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Namespace
|
|
||||||
names:
|
|
||||||
- gemini-*
|
|
||||||
generate:
|
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ResourceQuota
|
|
||||||
name: default-resourcequota
|
|
||||||
synchronize: true
|
|
||||||
namespace: "{{request.object.metadata.name}}"
|
|
||||||
data:
|
data:
|
||||||
spec:
|
spec:
|
||||||
hard:
|
hard:
|
||||||
requests.cpu: '4'
|
limits.cpu: "9"
|
||||||
requests.memory: '16Gi'
|
limits.memory: 16Gi
|
||||||
limits.cpu: '9'
|
requests.cpu: "4"
|
||||||
limits.memory: '16Gi'
|
requests.memory: 16Gi
|
||||||
|
kind: ResourceQuota
|
||||||
|
name: default-resourcequota
|
||||||
|
namespace: '{{request.object.metadata.name}}'
|
||||||
|
synchronize: true
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Namespace
|
||||||
|
names:
|
||||||
|
- gemini-*
|
||||||
|
name: cpol-data-sync-modify-rule
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,17 +1,13 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: generate-update-rule-spec
|
name: generate-update-rule-spec
|
||||||
spec:
|
spec:
|
||||||
generateExisting: false
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: k-kafka-address
|
- exclude:
|
||||||
match:
|
|
||||||
any:
|
|
||||||
- resources:
|
|
||||||
kinds:
|
|
||||||
- Namespace
|
|
||||||
exclude:
|
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
namespaces:
|
namespaces:
|
||||||
|
@ -19,21 +15,29 @@ spec:
|
||||||
- default
|
- default
|
||||||
- kube-public
|
- kube-public
|
||||||
- kyverno
|
- kyverno
|
||||||
preconditions:
|
|
||||||
- key: "{{request.operation}}"
|
|
||||||
operator: NotEquals
|
|
||||||
value: DELETE
|
|
||||||
generate:
|
generate:
|
||||||
synchronize: true
|
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
|
||||||
name: zk-kafka-address
|
|
||||||
namespace: default
|
|
||||||
data:
|
data:
|
||||||
|
data:
|
||||||
|
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||||
|
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
somekey: somevalue
|
somekey: somevalue
|
||||||
data:
|
kind: ConfigMap
|
||||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
name: zk-kafka-address
|
||||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
namespace: default
|
||||||
|
synchronize: true
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Namespace
|
||||||
|
name: k-kafka-address
|
||||||
|
preconditions:
|
||||||
|
all:
|
||||||
|
- key: '{{request.operation}}'
|
||||||
|
operator: NotEquals
|
||||||
|
value: DELETE
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,37 +1,41 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: Policy
|
kind: Policy
|
||||||
metadata:
|
metadata:
|
||||||
name: generate-update-rule-spec
|
name: generate-update-rule-spec
|
||||||
namespace: default
|
namespace: default
|
||||||
spec:
|
spec:
|
||||||
generateExisting: false
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: k-kafka-address
|
- exclude:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- NetworkPolicy
|
||||||
|
generate:
|
||||||
|
apiVersion: v1
|
||||||
|
data:
|
||||||
|
data:
|
||||||
|
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||||
|
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
somekey: somevalue
|
||||||
|
kind: ConfigMap
|
||||||
|
name: zk-kafka-address
|
||||||
|
namespace: default
|
||||||
|
synchronize: true
|
||||||
match:
|
match:
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Secret
|
- Secret
|
||||||
exclude:
|
name: k-kafka-address
|
||||||
any:
|
|
||||||
- resources:
|
|
||||||
kinds:
|
|
||||||
- NetworkPolicy
|
|
||||||
preconditions:
|
preconditions:
|
||||||
- key: "{{request.operation}}"
|
all:
|
||||||
operator: NotEquals
|
- key: '{{request.operation}}'
|
||||||
value: DELETE
|
operator: NotEquals
|
||||||
generate:
|
value: DELETE
|
||||||
synchronize: true
|
validationFailureAction: Audit
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
name: zk-kafka-address
|
|
||||||
namespace: default
|
|
||||||
data:
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
somekey: somevalue
|
|
||||||
data:
|
|
||||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
|
||||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
|
||||||
|
|
|
@ -1,19 +1,24 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: add-labels
|
name: add-labels
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: add-labels
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
- Service
|
- Service
|
||||||
- ConfigMap
|
- ConfigMap
|
||||||
- Secret
|
- Secret
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
foo: bar
|
foo: bar
|
||||||
|
name: add-labels
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,17 +1,21 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: advertise-resource
|
name: advertise-resource
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
rules:
|
rules:
|
||||||
- name: advertise-resource
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Node/status
|
- Node/status
|
||||||
mutate:
|
mutate:
|
||||||
patchesJson6902: |-
|
patchesJson6902: |-
|
||||||
- op: add
|
- op: add
|
||||||
path: "/status/capacity/example.com~1dongle"
|
path: "/status/capacity/example.com~1dongle"
|
||||||
value: "4"
|
value: "4"
|
||||||
|
name: advertise-resource
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,32 +1,36 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: foreach-patchstrategicmerge-context-policy
|
name: foreach-patchstrategicmerge-context-policy
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
rules:
|
rules:
|
||||||
- name: resolve-image-containers
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
preconditions:
|
|
||||||
all:
|
|
||||||
- key: "{{request.operation}}"
|
|
||||||
operator: In
|
|
||||||
value:
|
|
||||||
- CREATE
|
|
||||||
- UPDATE
|
|
||||||
mutate:
|
mutate:
|
||||||
foreach:
|
foreach:
|
||||||
- list: "request.object.spec.containers"
|
- context:
|
||||||
context:
|
- configMap:
|
||||||
- name: dictionary
|
name: foreach-patchstrategicmerge-context-configmap
|
||||||
configMap:
|
namespace: foreach-patchstrategicmerge-context-ns
|
||||||
name: foreach-patchstrategicmerge-context-configmap
|
name: dictionary
|
||||||
namespace: foreach-patchstrategicmerge-context-ns
|
list: request.object.spec.containers
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: "{{ element.name }}"
|
- image: '{{ dictionary.data.image }}'
|
||||||
image: "{{ dictionary.data.image }}"
|
name: '{{ element.name }}'
|
||||||
|
name: resolve-image-containers
|
||||||
|
preconditions:
|
||||||
|
all:
|
||||||
|
- key: '{{request.operation}}'
|
||||||
|
operator: AllIn
|
||||||
|
value:
|
||||||
|
- CREATE
|
||||||
|
- UPDATE
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,22 +1,24 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: mutate
|
name: mutate
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: Audit
|
|
||||||
admission: false
|
admission: false
|
||||||
background: true
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: mutate
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
- Service
|
- Service
|
||||||
- ConfigMap
|
- ConfigMap
|
||||||
- Secret
|
- Secret
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
foo: bar
|
foo: bar
|
||||||
|
name: mutate
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,20 +1,20 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Security
|
policies.kyverno.io/category: Security
|
||||||
policies.kyverno.io/description: 'This policy mutates any namespace-scoped Custom
|
policies.kyverno.io/description: 'This policy mutates any namespace-scoped Custom
|
||||||
Resource Definition created by the subjects in the xteam Azure AD group
|
Resource Definition created by the subjects in the xteam Azure AD group and
|
||||||
and adds the label "createdByXteam: true".'
|
adds the label "createdByXteam: true".'
|
||||||
policies.kyverno.io/subject: RBAC
|
policies.kyverno.io/subject: RBAC
|
||||||
policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad
|
policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad group
|
||||||
group
|
|
||||||
policy.reporter.kyverno.io/minimal: minimal
|
policy.reporter.kyverno.io/minimal: minimal
|
||||||
generation: 1
|
|
||||||
labels:
|
labels:
|
||||||
aws.cdk.eks/prune-c8b5941ff5f4fe911c5ee96472fda3d1f9866734a7: ""
|
aws.cdk.eks/prune-c8b5941ff5f4fe911c5ee96472fda3d1f9866734a7: ""
|
||||||
name: mutate-xteam-namespace-scoped-crds
|
name: mutate-xteam-namespace-scoped-crds
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
rules:
|
rules:
|
||||||
- match:
|
- match:
|
||||||
|
@ -22,9 +22,9 @@ spec:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- CustomResourceDefinition
|
- CustomResourceDefinition
|
||||||
subjects:
|
subjects:
|
||||||
- kind: Group
|
- kind: Group
|
||||||
name: aad:9b9had99-6k66-2222-9999-8aadb888e888
|
name: aad:9b9had99-6k66-2222-9999-8aadb888e888
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -39,4 +39,4 @@ spec:
|
||||||
- key: '{{ request.object.spec.scope }}'
|
- key: '{{ request.object.spec.scope }}'
|
||||||
operator: Equals
|
operator: Equals
|
||||||
value: Namespaced
|
value: Namespaced
|
||||||
validationFailureAction: audit
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,22 +1,25 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: Policy
|
kind: Policy
|
||||||
metadata:
|
metadata:
|
||||||
name: mutate
|
name: mutate
|
||||||
|
namespace: default
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: Audit
|
|
||||||
admission: false
|
admission: false
|
||||||
background: true
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: mutate
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
- Service
|
- Service
|
||||||
- ConfigMap
|
- ConfigMap
|
||||||
- Secret
|
- Secret
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
foo: bar
|
foo: bar
|
||||||
|
name: mutate
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,32 +1,35 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: preconditions
|
name: preconditions
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: Enforce
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
rules:
|
rules:
|
||||||
- name: test
|
- context:
|
||||||
match:
|
- apiCall:
|
||||||
any:
|
method: GET
|
||||||
- resources:
|
urlPath: /api/v1/namespaces/missing/configmaps/nothere
|
||||||
kinds:
|
name: nothere
|
||||||
- Pod
|
match:
|
||||||
context:
|
any:
|
||||||
- name: nothere
|
- resources:
|
||||||
apiCall:
|
kinds:
|
||||||
urlPath: /api/v1/namespaces/missing/configmaps/nothere
|
- Pod
|
||||||
preconditions:
|
name: test
|
||||||
any:
|
preconditions:
|
||||||
- key: "{{ request.name }}"
|
any:
|
||||||
operator: Equals
|
- key: '{{ request.name }}'
|
||||||
value: test
|
message: this pod is not allowed
|
||||||
message: this pod is not allowed
|
operator: Equals
|
||||||
- key: "{{ nothere }}"
|
value: test
|
||||||
operator: Equals
|
- key: '{{ nothere }}'
|
||||||
value: hello
|
message: value mismatch
|
||||||
message: value mismatch
|
operator: Equals
|
||||||
validate:
|
value: hello
|
||||||
pattern:
|
validate:
|
||||||
metadata:
|
pattern:
|
||||||
name: "*"
|
metadata:
|
||||||
|
name: '*'
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
|
|
@ -1,35 +1,39 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: check-trustable-images
|
name: check-trustable-images
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: Enforce
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: only-allow-trusted-images
|
- match:
|
||||||
match:
|
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: only-allow-trusted-images
|
||||||
preconditions:
|
preconditions:
|
||||||
- key: "{{request.operation}}"
|
all:
|
||||||
|
- key: '{{request.operation}}'
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: DELETE
|
value: DELETE
|
||||||
validate:
|
validate:
|
||||||
message: "images with root user are not allowed"
|
|
||||||
foreach:
|
foreach:
|
||||||
- list: "request.object.spec.containers"
|
- context:
|
||||||
context:
|
- imageRegistry:
|
||||||
- name: imageData
|
jmesPath: '{user: configData.config.User || '''', registry: registry}'
|
||||||
imageRegistry:
|
reference: '{{ element.image }}'
|
||||||
reference: "{{ element.image }}"
|
name: imageData
|
||||||
jmesPath: "{user: configData.config.User || '', registry: registry}"
|
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
all:
|
all:
|
||||||
- key: "{{ imageData.user }}"
|
- key: '{{ imageData.user }}'
|
||||||
operator: Equals
|
operator: Equals
|
||||||
value: ""
|
value: ""
|
||||||
- key: "{{ imageData.registry }}"
|
- key: '{{ imageData.registry }}'
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: "ghcr.io"
|
value: ghcr.io
|
||||||
|
list: request.object.spec.containers
|
||||||
|
message: images with root user are not allowed
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
|
|
@ -1,32 +1,39 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: keyed-basic-policy
|
name: keyed-basic-policy
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: enforce
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
webhookTimeoutSeconds: 30
|
|
||||||
failurePolicy: Fail
|
failurePolicy: Fail
|
||||||
rules:
|
rules:
|
||||||
- name: keyed-basic-rule
|
- match:
|
||||||
match:
|
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: keyed-basic-rule
|
||||||
verifyImages:
|
verifyImages:
|
||||||
- imageReferences:
|
- attestors:
|
||||||
- '*'
|
|
||||||
attestors:
|
|
||||||
- entries:
|
- entries:
|
||||||
- keys:
|
- keys:
|
||||||
|
ctlog:
|
||||||
|
ignoreSCT: true
|
||||||
publicKeys: |-
|
publicKeys: |-
|
||||||
-----BEGIN PUBLIC KEY-----
|
-----BEGIN PUBLIC KEY-----
|
||||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||||
-----END PUBLIC KEY-----
|
-----END PUBLIC KEY-----
|
||||||
rekor:
|
rekor:
|
||||||
url: https://rekor.sigstore.dev
|
|
||||||
ignoreTlog: true
|
ignoreTlog: true
|
||||||
ctlog:
|
url: https://rekor.sigstore.dev
|
||||||
ignoreSCT: true
|
signatureAlgorithm: sha256
|
||||||
|
imageReferences:
|
||||||
|
- '*'
|
||||||
|
mutateDigest: true
|
||||||
|
required: true
|
||||||
|
useCache: true
|
||||||
|
verifyDigest: true
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
webhookTimeoutSeconds: 30
|
||||||
|
|
|
@ -1,35 +1,42 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: tasks-keyless
|
name: tasks-keyless
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: Enforce
|
admission: true
|
||||||
webhookTimeoutSeconds: 30
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: verify-images
|
- imageExtractors:
|
||||||
|
Task:
|
||||||
|
- path: /spec/steps/*/image
|
||||||
match:
|
match:
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- tekton.dev/v1beta1/Task
|
- tekton.dev/v1beta1/Task
|
||||||
|
name: verify-images
|
||||||
preconditions:
|
preconditions:
|
||||||
- key: "{{request.operation}}"
|
all:
|
||||||
operator: NotEquals
|
- key: '{{request.operation}}'
|
||||||
value: DELETE
|
operator: NotEquals
|
||||||
imageExtractors:
|
value: DELETE
|
||||||
Task:
|
|
||||||
- path: /spec/steps/*/image
|
|
||||||
verifyImages:
|
verifyImages:
|
||||||
- imageReferences:
|
- attestors:
|
||||||
- "ghcr.io/*"
|
|
||||||
attestors:
|
|
||||||
- count: 1
|
- count: 1
|
||||||
entries:
|
entries:
|
||||||
- keyless:
|
- keyless:
|
||||||
issuer: "https://token.actions.githubusercontent.com"
|
|
||||||
subject: "https://github.com/*"
|
|
||||||
rekor:
|
|
||||||
url: https://rekor.sigstore.dev
|
|
||||||
ctlog:
|
ctlog:
|
||||||
ignoreSCT: true
|
ignoreSCT: true
|
||||||
|
issuer: https://token.actions.githubusercontent.com
|
||||||
|
rekor:
|
||||||
|
url: https://rekor.sigstore.dev
|
||||||
|
subject: https://github.com/*
|
||||||
|
imageReferences:
|
||||||
|
- ghcr.io/*
|
||||||
|
mutateDigest: true
|
||||||
required: true
|
required: true
|
||||||
|
useCache: true
|
||||||
|
verifyDigest: true
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
webhookTimeoutSeconds: 30
|
||||||
|
|
|
@ -1,30 +1,35 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: tasks-complex
|
name: tasks-complex
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: Enforce
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: verify-images
|
- imageExtractors:
|
||||||
|
Task:
|
||||||
|
- key: name
|
||||||
|
name: steps
|
||||||
|
path: /spec/steps/*
|
||||||
|
value: image
|
||||||
match:
|
match:
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- tekton.dev/v1beta1/Task
|
- tekton.dev/v1beta1/Task
|
||||||
|
name: verify-images
|
||||||
preconditions:
|
preconditions:
|
||||||
- key: "{{request.operation}}"
|
all:
|
||||||
operator: NotEquals
|
- key: '{{request.operation}}'
|
||||||
value: DELETE
|
operator: NotEquals
|
||||||
imageExtractors:
|
value: DELETE
|
||||||
Task:
|
|
||||||
- path: /spec/steps/*
|
|
||||||
name: steps
|
|
||||||
value: image
|
|
||||||
key: name
|
|
||||||
verifyImages:
|
verifyImages:
|
||||||
- image: "*"
|
- image: '*'
|
||||||
key: |-
|
key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END
|
||||||
-----BEGIN PUBLIC KEY-----
|
PUBLIC KEY----- "
|
||||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
mutateDigest: true
|
||||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
required: true
|
||||||
-----END PUBLIC KEY-----
|
useCache: true
|
||||||
|
verifyDigest: true
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
|
|
@ -1,24 +1,32 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: tasks-no-extractor
|
name: tasks-no-extractor
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: Enforce
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: verify-images
|
- match:
|
||||||
match:
|
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- tekton.dev/v1beta1/Task
|
- tekton.dev/v1beta1/Task
|
||||||
|
name: verify-images
|
||||||
preconditions:
|
preconditions:
|
||||||
- key: "{{request.operation}}"
|
all:
|
||||||
operator: NotEquals
|
- key: '{{request.operation}}'
|
||||||
value: DELETE
|
operator: NotEquals
|
||||||
|
value: DELETE
|
||||||
verifyImages:
|
verifyImages:
|
||||||
- image: "*"
|
- image: '*'
|
||||||
key: |-
|
key: |-
|
||||||
-----BEGIN PUBLIC KEY-----
|
-----BEGIN PUBLIC KEY-----
|
||||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||||
-----END PUBLIC KEY-----
|
-----END PUBLIC KEY-----
|
||||||
|
mutateDigest: true
|
||||||
|
required: true
|
||||||
|
useCache: true
|
||||||
|
verifyDigest: true
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
|
|
@ -1,27 +1,32 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: tasks-simple
|
name: tasks-simple
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: Enforce
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: verify-images
|
- imageExtractors:
|
||||||
|
Task:
|
||||||
|
- path: /spec/steps/*/image
|
||||||
match:
|
match:
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- tekton.dev/v1beta1/Task
|
- tekton.dev/v1beta1/Task
|
||||||
|
name: verify-images
|
||||||
preconditions:
|
preconditions:
|
||||||
- key: "{{request.operation}}"
|
all:
|
||||||
operator: NotEquals
|
- key: '{{request.operation}}'
|
||||||
value: DELETE
|
operator: NotEquals
|
||||||
imageExtractors:
|
value: DELETE
|
||||||
Task:
|
|
||||||
- path: /spec/steps/*/image
|
|
||||||
verifyImages:
|
verifyImages:
|
||||||
- image: "*"
|
- image: '*'
|
||||||
key: |-
|
key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END
|
||||||
-----BEGIN PUBLIC KEY-----
|
PUBLIC KEY----- "
|
||||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
mutateDigest: true
|
||||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
required: true
|
||||||
-----END PUBLIC KEY-----
|
useCache: true
|
||||||
|
verifyDigest: true
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
|
|
@ -4,26 +4,28 @@ kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: path-canonicalize
|
name: path-canonicalize
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: enforce
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
rules:
|
rules:
|
||||||
- name: disallow-mount-containerd-sock
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: disallow-mount-containerd-sock
|
||||||
validate:
|
validate:
|
||||||
foreach:
|
foreach:
|
||||||
- list: "request.object.spec.volumes[]"
|
- deny:
|
||||||
deny:
|
|
||||||
conditions:
|
conditions:
|
||||||
any:
|
any:
|
||||||
- key: "{{ path_canonicalize(element.hostPath.path) }}"
|
- key: '{{ path_canonicalize(element.hostPath.path) }}'
|
||||||
operator: Equals
|
operator: Equals
|
||||||
value: "/var/run/containerd/containerd.sock"
|
value: /var/run/containerd/containerd.sock
|
||||||
- key: "{{ path_canonicalize(element.hostPath.path) }}"
|
- key: '{{ path_canonicalize(element.hostPath.path) }}'
|
||||||
operator: Equals
|
operator: Equals
|
||||||
value: "/run/containerd/containerd.sock"
|
value: /run/containerd/containerd.sock
|
||||||
- key: "{{ path_canonicalize(element.hostPath.path) }}"
|
- key: '{{ path_canonicalize(element.hostPath.path) }}'
|
||||||
operator: Equals
|
operator: Equals
|
||||||
value: "\\var\\run\\containerd\\containerd.sock"
|
value: \var\run\containerd\containerd.sock
|
||||||
|
list: request.object.spec.volumes[]
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
|
|
@ -1,16 +1,21 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: mutate-pod-disable-automoutingapicred
|
name: mutate-pod-disable-automoutingapicred
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: pod-disable-automoutingapicred
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
spec:
|
spec:
|
||||||
(serviceAccountName): "*"
|
(serviceAccountName): '*'
|
||||||
automountServiceAccountToken: false
|
automountServiceAccountToken: false
|
||||||
|
name: pod-disable-automoutingapicred
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,34 +1,36 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: resolve-image
|
name: resolve-image
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
rules:
|
rules:
|
||||||
- name: resolve-image-containers
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
preconditions:
|
|
||||||
all:
|
|
||||||
- key: "{{request.operation}}"
|
|
||||||
operator: In
|
|
||||||
value:
|
|
||||||
- CREATE
|
|
||||||
- UPDATE
|
|
||||||
mutate:
|
mutate:
|
||||||
foreach:
|
foreach:
|
||||||
- list: "request.object.spec.containers"
|
- context:
|
||||||
context:
|
- configMap:
|
||||||
- name: dictionary
|
name: some-config-map
|
||||||
configMap:
|
namespace: some-namespace
|
||||||
# Name of the ConfigMap which will be looked up
|
name: dictionary
|
||||||
name: some-config-map
|
list: request.object.spec.containers
|
||||||
# Namespace in which this ConfigMap is stored
|
|
||||||
namespace: some-namespace
|
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: "{{ element.name }}"
|
- image: '{{ dictionary.data.image }}'
|
||||||
image: "{{ dictionary.data.image }}"
|
name: '{{ element.name }}'
|
||||||
|
name: resolve-image-containers
|
||||||
|
preconditions:
|
||||||
|
all:
|
||||||
|
- key: '{{request.operation}}'
|
||||||
|
operator: AllIn
|
||||||
|
value:
|
||||||
|
- CREATE
|
||||||
|
- UPDATE
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,40 +1,45 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: check-cpu-memory
|
name: check-cpu-memory
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: check-defined
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Deployment
|
- Deployment
|
||||||
|
name: check-defined
|
||||||
validate:
|
validate:
|
||||||
message: "Resource limits are required for CPU and memory"
|
message: Resource limits are required for CPU and memory
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: "?*"
|
- name: ?*
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
memory: "?*"
|
cpu: ?*
|
||||||
cpu: "?*"
|
memory: ?*
|
||||||
|
- match:
|
||||||
- name: check-cpu
|
any:
|
||||||
match:
|
- resources:
|
||||||
resources:
|
kinds:
|
||||||
kinds:
|
- Deployment
|
||||||
- Deployment
|
name: check-cpu
|
||||||
validate:
|
validate:
|
||||||
message: "CPU request should be less than 4"
|
message: CPU request should be less than 4
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: "*"
|
- name: '*'
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
cpu: "<4m"
|
cpu: <4m
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,19 +1,24 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: check-host-path
|
name: check-host-path
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: check-host-path
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: check-host-path
|
||||||
validate:
|
validate:
|
||||||
message: "Host path is not allowed"
|
message: Host path is not allowed
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
volumes:
|
volumes:
|
||||||
- name: "*"
|
- hostPath:
|
||||||
hostPath:
|
|
||||||
path: ""
|
path: ""
|
||||||
|
name: '*'
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,22 +1,25 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: image-pull-policy
|
name: image-pull-policy
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: image-pull-policy
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Deployment
|
- Deployment
|
||||||
|
name: image-pull-policy
|
||||||
validate:
|
validate:
|
||||||
message: "Image tag ':latest' requires imagePullPolicy 'Always'"
|
message: Image tag ':latest' requires imagePullPolicy 'Always'
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
# select images which end with :latest
|
- (image): '*latest'
|
||||||
- (image): "*latest"
|
|
||||||
# require that the imagePullPolicy is "Always"
|
|
||||||
imagePullPolicy: Always
|
imagePullPolicy: Always
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,26 +1,27 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
kind : ClusterPolicy
|
apiVersion: kyverno.io/v1
|
||||||
metadata :
|
kind: ClusterPolicy
|
||||||
name : validation-example2
|
metadata:
|
||||||
spec :
|
name: validation-example2
|
||||||
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: check-memory_requests_link_in_yaml
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
# Kind specifies one or more resource types to match
|
|
||||||
kinds:
|
kinds:
|
||||||
- Deployment
|
- Deployment
|
||||||
# Name is optional and can use wildcards
|
name: '*'
|
||||||
name: "*"
|
name: check-memory_requests_link_in_yaml
|
||||||
# Selector is optional
|
validate:
|
||||||
selector:
|
pattern:
|
||||||
validate:
|
spec:
|
||||||
pattern:
|
containers:
|
||||||
spec:
|
- name: '*'
|
||||||
containers:
|
resources:
|
||||||
- name: "*"
|
limits:
|
||||||
resources:
|
memory: 2048Mi
|
||||||
requests:
|
requests:
|
||||||
memory: "$(<=/spec/containers/0/resources/limits/memory)"
|
memory: $(<=/spec/containers/0/resources/limits/memory)
|
||||||
limits:
|
validationFailureAction: Audit
|
||||||
memory: "2048Mi"
|
|
||||||
|
|
|
@ -1,26 +1,27 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
kind : ClusterPolicy
|
apiVersion: kyverno.io/v1
|
||||||
metadata :
|
kind: ClusterPolicy
|
||||||
name : validation-example2
|
metadata:
|
||||||
spec :
|
name: validation-example2
|
||||||
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: check-memory_requests_link_in_yaml_relative
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
# Kind specifies one or more resource types to match
|
|
||||||
kinds:
|
kinds:
|
||||||
- Deployment
|
- Deployment
|
||||||
# Name is optional and can use wildcards
|
name: '*'
|
||||||
name: "*"
|
name: check-memory_requests_link_in_yaml_relative
|
||||||
# Selector is optional
|
validate:
|
||||||
selector:
|
pattern:
|
||||||
validate:
|
spec:
|
||||||
pattern:
|
containers:
|
||||||
spec:
|
- (name): '*'
|
||||||
containers:
|
resources:
|
||||||
- (name): "*"
|
lim(its:
|
||||||
resources:
|
mem)ory: 2048Mi
|
||||||
requests:
|
requests:
|
||||||
memory: "$(<=./../../lim(its/mem)ory)"
|
memory: $(<=./../../lim(its/mem)ory)
|
||||||
lim(its:
|
validationFailureAction: Audit
|
||||||
mem)ory: "2048Mi"
|
|
||||||
|
|
|
@ -1,34 +1,35 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: check-kernel
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/title: Check Node for CVE-2022-0185
|
|
||||||
policies.kyverno.io/category: Other
|
|
||||||
policies.kyverno.io/severity: high
|
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
|
||||||
policies.kyverno.io/minversion: 1.6.0
|
|
||||||
kyverno.io/kubernetes-version: "1.23"
|
kyverno.io/kubernetes-version: "1.23"
|
||||||
policies.kyverno.io/subject: Node
|
kyverno.io/kyverno-version: 1.6.0
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/category: Other
|
||||||
Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched.
|
policies.kyverno.io/description: Linux CVE-2022-0185 can allow a container escape
|
||||||
The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2.
|
in Kubernetes if left unpatched. The affected Linux kernel versions, at this
|
||||||
For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185.
|
time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185.
|
||||||
This policy runs in background mode and flags an entry in the ClusterPolicyReport
|
This policy runs in background mode and flags an entry in the ClusterPolicyReport
|
||||||
if any Node is reporting one of the affected kernel versions.
|
if any Node is reporting one of the affected kernel versions.
|
||||||
|
policies.kyverno.io/minversion: 1.6.0
|
||||||
|
policies.kyverno.io/severity: high
|
||||||
|
policies.kyverno.io/subject: Node
|
||||||
|
policies.kyverno.io/title: Check Node for CVE-2022-0185
|
||||||
|
name: check-kernel
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
background: true
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: kernel-validate
|
- match:
|
||||||
match:
|
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Node
|
- Node
|
||||||
|
name: kernel-validate
|
||||||
validate:
|
validate:
|
||||||
message: "Kernel is vulnerable to CVE-2022-0185."
|
message: Kernel is vulnerable to CVE-2022-0185.
|
||||||
pattern:
|
pattern:
|
||||||
status:
|
status:
|
||||||
nodeInfo:
|
nodeInfo:
|
||||||
kernelVersion: "!5.10.84-1 & !5.15.5-2"
|
kernelVersion: '!5.10.84-1 & !5.15.5-2'
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,16 +1,21 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: check-node-port
|
name: check-node-port
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: check-node-port
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Service
|
- Service
|
||||||
|
name: check-node-port
|
||||||
validate:
|
validate:
|
||||||
message: "NodePort type is not allowed"
|
message: NodePort type is not allowed
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
type: "!NodePort"
|
type: '!NodePort'
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,21 +1,26 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
kind : ClusterPolicy
|
apiVersion: kyverno.io/v1
|
||||||
metadata :
|
kind: ClusterPolicy
|
||||||
name : check-non-root
|
metadata:
|
||||||
spec :
|
name: check-non-root
|
||||||
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: check-non-root
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Deployment
|
- Deployment
|
||||||
- StatefuleSet
|
- StatefuleSet
|
||||||
- DaemonSet
|
- DaemonSet
|
||||||
validate:
|
name: check-non-root
|
||||||
message: "Root user is not allowed"
|
validate:
|
||||||
pattern:
|
message: Root user is not allowed
|
||||||
spec:
|
pattern:
|
||||||
template:
|
spec:
|
||||||
spec:
|
template:
|
||||||
securityContext:
|
spec:
|
||||||
runAsNonRoot: true
|
securityContext:
|
||||||
|
runAsNonRoot: true
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,36 +1,42 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
kind : ClusterPolicy
|
apiVersion: kyverno.io/v1
|
||||||
metadata :
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
name: check-probe-exists
|
name: check-probe-exists
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: check-liveness-probe-exists
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds :
|
kinds:
|
||||||
- StatefulSet
|
- StatefulSet
|
||||||
|
name: check-liveness-probe-exists
|
||||||
validate:
|
validate:
|
||||||
message: "a livenessProbe is required"
|
message: a livenessProbe is required
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: "*"
|
- livenessProbe:
|
||||||
livenessProbe:
|
periodSeconds: '>0'
|
||||||
periodSeconds: ">0"
|
name: '*'
|
||||||
- name: check-readiness-probe-exists
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds :
|
kinds:
|
||||||
- StatefulSet
|
- StatefulSet
|
||||||
|
name: check-readiness-probe-exists
|
||||||
validate:
|
validate:
|
||||||
message: "a readinessProbe is required"
|
message: a readinessProbe is required
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: "*"
|
- name: '*'
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
periodSeconds: ">0"
|
periodSeconds: '>0'
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,36 +1,42 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
kind : ClusterPolicy
|
apiVersion: kyverno.io/v1
|
||||||
metadata :
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
name: check-probe-intervals
|
name: check-probe-intervals
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: check-probe-intervals
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds :
|
kinds:
|
||||||
- Deployment
|
- Deployment
|
||||||
|
name: check-probe-intervals
|
||||||
validate:
|
validate:
|
||||||
message: "livenessProbe must be > 10s"
|
message: livenessProbe must be > 10s
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: "*"
|
- livenessProbe:
|
||||||
livenessProbe:
|
periodSeconds: '>10'
|
||||||
periodSeconds: ">10"
|
name: '*'
|
||||||
- name: check-probe-intervals
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds :
|
kinds:
|
||||||
- Deployment
|
- Deployment
|
||||||
|
name: check-probe-intervals
|
||||||
validate:
|
validate:
|
||||||
message: "readinessProbe must be > 10s"
|
message: readinessProbe must be > 10s
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: "*"
|
- name: '*'
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
periodSeconds: ">10"
|
periodSeconds: '>10'
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,22 +1,26 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: check-registries
|
name: check-registries
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: check-registries
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Deployment
|
- Deployment
|
||||||
- StatefulSet
|
- StatefulSet
|
||||||
|
name: check-registries
|
||||||
validate:
|
validate:
|
||||||
message: "Registry is not allowed"
|
message: Registry is not allowed
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: "*"
|
- image: '*/nirmata/* | https://private.registry.io/*'
|
||||||
# Check allowed registries
|
name: '*'
|
||||||
image: "*/nirmata/* | https://private.registry.io/*"
|
validationFailureAction: Audit
|
||||||
|
|
Loading…
Add table
Reference in a new issue