1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00

chore: fix policies (#8449)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-09-19 12:28:58 +02:00 committed by GitHub
parent f9c85f447d
commit 6a43ec4bcf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
42 changed files with 820 additions and 637 deletions

View file

@ -547,12 +547,12 @@ codegen-docs-all: codegen-helm-docs codegen-cli-docs codegen-api-docs ## Genera
.PHONY: codegen-fix-tests .PHONY: codegen-fix-tests
codegen-fix-tests: $(CLI_BIN) ## Fix CLI test files codegen-fix-tests: $(CLI_BIN) ## Fix CLI test files
@echo Fix CLI test files... >&2 @echo Fix CLI test files... >&2
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix test ./test/cli --save --compress --force @KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix test . --save --compress --force
.PHONY: codegen-fix-policies .PHONY: codegen-fix-policies
codegen-fix-policies: $(CLI_BIN) ## Fix CLI policy files codegen-fix-policies: $(CLI_BIN) ## Fix CLI policy files
@echo Fix CLI policy files... >&2 @echo Fix CLI policy files... >&2
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix policy ./test/cli/test --save @KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix policy . --save
.PHONY: codegen-cli-all .PHONY: codegen-cli-all
codegen-cli-all: codegen-cli-crds codegen-cli-docs codegen-cli-api-docs codegen-fix-tests ## Generate all CLI related code and docs codegen-cli-all: codegen-cli-crds codegen-cli-docs codegen-cli-api-docs codegen-fix-tests ## Generate all CLI related code and docs

View file

@ -1,4 +1,7 @@
name: test-registry apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: test-registry
policies: policies:
- image-example.yaml - image-example.yaml
resources: resources:
@ -8,11 +11,6 @@ results:
policy: images policy: images
resources: resources:
- test-pod-with-non-root-user-image - test-pod-with-non-root-user-image
result: pass
rule: only-allow-trusted-images
- kind: Pod
policy: images
resources:
- test-pod-with-trusted-registry - test-pod-with-trusted-registry
result: pass result: pass
rule: only-allow-trusted-images rule: only-allow-trusted-images

View file

@ -1,16 +1,12 @@
name: add-quota apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: add-quota
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- generatedResource: generatedResourceQuota.yaml
kind: Namespace
policy: add-ns-quota
resources:
- hello-world-namespace
result: pass
rule: generate-resourcequota
- generatedResource: generatedLimitRange.yaml - generatedResource: generatedLimitRange.yaml
kind: Namespace kind: Namespace
policy: add-ns-quota policy: add-ns-quota
@ -18,3 +14,10 @@ results:
- hello-world-namespace - hello-world-namespace
result: pass result: pass
rule: generate-limitrange rule: generate-limitrange
- generatedResource: generatedResourceQuota.yaml
kind: Namespace
policy: add-ns-quota
resources:
- hello-world-namespace
result: pass
rule: generate-resourcequota

View file

@ -107,6 +107,18 @@ func (o options) processFile(out io.Writer, path string) {
rule := rule.(map[string]interface{}) rule := rule.(map[string]interface{})
unstructured.RemoveNestedField(rule, "exclude", "resources") unstructured.RemoveNestedField(rule, "exclude", "resources")
unstructured.RemoveNestedField(rule, "match", "resources") unstructured.RemoveNestedField(rule, "match", "resources")
if any, ok, err := unstructured.NestedFieldNoCopy(rule, "match", "any"); ok && err == nil {
cleanResourceFilters(any.([]interface{}))
}
if all, ok, err := unstructured.NestedFieldNoCopy(rule, "match", "all"); ok && err == nil {
cleanResourceFilters(all.([]interface{}))
}
if any, ok, err := unstructured.NestedFieldNoCopy(rule, "exclude", "any"); ok && err == nil {
cleanResourceFilters(any.([]interface{}))
}
if all, ok, err := unstructured.NestedFieldNoCopy(rule, "exclude", "all"); ok && err == nil {
cleanResourceFilters(all.([]interface{}))
}
if item, _, _ := unstructured.NestedMap(rule, "generate", "clone"); len(item) == 0 { if item, _, _ := unstructured.NestedMap(rule, "generate", "clone"); len(item) == 0 {
unstructured.RemoveNestedField(rule, "generate", "clone") unstructured.RemoveNestedField(rule, "generate", "clone")
} }
@ -165,3 +177,12 @@ func (o options) processFile(out io.Writer, path string) {
fmt.Fprintln(out, " OK") fmt.Fprintln(out, " OK")
} }
} }
func cleanResourceFilters(rf []interface{}) {
for _, f := range rf {
a := f.(map[string]interface{})
if item, _, _ := unstructured.NestedMap(a, "resources"); len(item) == 0 {
unstructured.RemoveNestedField(a, "resources")
}
}
}

View file

@ -10,6 +10,8 @@ import (
"github.com/go-git/go-billy/v5/memfs" "github.com/go-git/go-billy/v5/memfs"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2" policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/v1alpha1" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/v1alpha1"
"gotest.tools/assert"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
) )
func TestLoadTests(t *testing.T) { func TestLoadTests(t *testing.T) {
@ -47,7 +49,13 @@ func TestLoadTests(t *testing.T) {
want: []TestCase{{ want: []TestCase{{
Path: "../_testdata/tests/test-1/kyverno-test.yaml", Path: "../_testdata/tests/test-1/kyverno-test.yaml",
Test: &v1alpha1.Test{ Test: &v1alpha1.Test{
Name: "test-registry", TypeMeta: metav1.TypeMeta{
APIVersion: "cli.kyverno.io/v1alpha1",
Kind: "Test",
},
ObjectMeta: metav1.ObjectMeta{
Name: "test-registry",
},
Policies: []string{"image-example.yaml"}, Policies: []string{"image-example.yaml"},
Resources: []string{"resources.yaml"}, Resources: []string{"resources.yaml"},
Results: []v1alpha1.TestResult{{ Results: []v1alpha1.TestResult{{
@ -57,15 +65,10 @@ func TestLoadTests(t *testing.T) {
Result: policyreportv1alpha2.StatusPass, Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images", Rule: "only-allow-trusted-images",
}, },
Resources: []string{"test-pod-with-non-root-user-image"}, Resources: []string{
}, { "test-pod-with-non-root-user-image",
TestResultBase: v1alpha1.TestResultBase{ "test-pod-with-trusted-registry",
Kind: "Pod",
Policy: "images",
Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images",
}, },
Resources: []string{"test-pod-with-trusted-registry"},
}}, }},
}, },
}}, }},
@ -77,7 +80,13 @@ func TestLoadTests(t *testing.T) {
want: []TestCase{{ want: []TestCase{{
Path: "../_testdata/tests/test-2/kyverno-test.yaml", Path: "../_testdata/tests/test-2/kyverno-test.yaml",
Test: &v1alpha1.Test{ Test: &v1alpha1.Test{
Name: "add-quota", TypeMeta: metav1.TypeMeta{
APIVersion: "cli.kyverno.io/v1alpha1",
Kind: "Test",
},
ObjectMeta: metav1.ObjectMeta{
Name: "add-quota",
},
Policies: []string{"policy.yaml"}, Policies: []string{"policy.yaml"},
Resources: []string{"resource.yaml"}, Resources: []string{"resource.yaml"},
Results: []v1alpha1.TestResult{{ Results: []v1alpha1.TestResult{{
@ -85,8 +94,8 @@ func TestLoadTests(t *testing.T) {
Kind: "Namespace", Kind: "Namespace",
Policy: "add-ns-quota", Policy: "add-ns-quota",
Result: policyreportv1alpha2.StatusPass, Result: policyreportv1alpha2.StatusPass,
Rule: "generate-resourcequota", Rule: "generate-limitrange",
GeneratedResource: "generatedResourceQuota.yaml", GeneratedResource: "generatedLimitRange.yaml",
}, },
Resources: []string{"hello-world-namespace"}, Resources: []string{"hello-world-namespace"},
}, { }, {
@ -94,8 +103,8 @@ func TestLoadTests(t *testing.T) {
Kind: "Namespace", Kind: "Namespace",
Policy: "add-ns-quota", Policy: "add-ns-quota",
Result: policyreportv1alpha2.StatusPass, Result: policyreportv1alpha2.StatusPass,
Rule: "generate-limitrange", Rule: "generate-resourcequota",
GeneratedResource: "generatedLimitRange.yaml", GeneratedResource: "generatedResourceQuota.yaml",
}, },
Resources: []string{"hello-world-namespace"}, Resources: []string{"hello-world-namespace"},
}}, }},
@ -109,7 +118,13 @@ func TestLoadTests(t *testing.T) {
want: []TestCase{{ want: []TestCase{{
Path: "../_testdata/tests/test-1/kyverno-test.yaml", Path: "../_testdata/tests/test-1/kyverno-test.yaml",
Test: &v1alpha1.Test{ Test: &v1alpha1.Test{
Name: "test-registry", TypeMeta: metav1.TypeMeta{
APIVersion: "cli.kyverno.io/v1alpha1",
Kind: "Test",
},
ObjectMeta: metav1.ObjectMeta{
Name: "test-registry",
},
Policies: []string{"image-example.yaml"}, Policies: []string{"image-example.yaml"},
Resources: []string{"resources.yaml"}, Resources: []string{"resources.yaml"},
Results: []v1alpha1.TestResult{{ Results: []v1alpha1.TestResult{{
@ -119,21 +134,22 @@ func TestLoadTests(t *testing.T) {
Result: policyreportv1alpha2.StatusPass, Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images", Rule: "only-allow-trusted-images",
}, },
Resources: []string{"test-pod-with-non-root-user-image"}, Resources: []string{
}, { "test-pod-with-non-root-user-image",
TestResultBase: v1alpha1.TestResultBase{ "test-pod-with-trusted-registry",
Kind: "Pod",
Policy: "images",
Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images",
}, },
Resources: []string{"test-pod-with-trusted-registry"},
}}, }},
}, },
}, { }, {
Path: "../_testdata/tests/test-2/kyverno-test.yaml", Path: "../_testdata/tests/test-2/kyverno-test.yaml",
Test: &v1alpha1.Test{ Test: &v1alpha1.Test{
Name: "add-quota", TypeMeta: metav1.TypeMeta{
APIVersion: "cli.kyverno.io/v1alpha1",
Kind: "Test",
},
ObjectMeta: metav1.ObjectMeta{
Name: "add-quota",
},
Policies: []string{"policy.yaml"}, Policies: []string{"policy.yaml"},
Resources: []string{"resource.yaml"}, Resources: []string{"resource.yaml"},
Results: []v1alpha1.TestResult{{ Results: []v1alpha1.TestResult{{
@ -141,8 +157,8 @@ func TestLoadTests(t *testing.T) {
Kind: "Namespace", Kind: "Namespace",
Policy: "add-ns-quota", Policy: "add-ns-quota",
Result: policyreportv1alpha2.StatusPass, Result: policyreportv1alpha2.StatusPass,
Rule: "generate-resourcequota", Rule: "generate-limitrange",
GeneratedResource: "generatedResourceQuota.yaml", GeneratedResource: "generatedLimitRange.yaml",
}, },
Resources: []string{"hello-world-namespace"}, Resources: []string{"hello-world-namespace"},
}, { }, {
@ -150,8 +166,8 @@ func TestLoadTests(t *testing.T) {
Kind: "Namespace", Kind: "Namespace",
Policy: "add-ns-quota", Policy: "add-ns-quota",
Result: policyreportv1alpha2.StatusPass, Result: policyreportv1alpha2.StatusPass,
Rule: "generate-limitrange", Rule: "generate-resourcequota",
GeneratedResource: "generatedLimitRange.yaml", GeneratedResource: "generatedResourceQuota.yaml",
}, },
Resources: []string{"hello-world-namespace"}, Resources: []string{"hello-world-namespace"},
}}, }},
@ -198,7 +214,13 @@ func TestLoadTest(t *testing.T) {
want: TestCase{ want: TestCase{
Path: "../_testdata/tests/test-1/kyverno-test.yaml", Path: "../_testdata/tests/test-1/kyverno-test.yaml",
Test: &v1alpha1.Test{ Test: &v1alpha1.Test{
Name: "test-registry", TypeMeta: metav1.TypeMeta{
APIVersion: "cli.kyverno.io/v1alpha1",
Kind: "Test",
},
ObjectMeta: metav1.ObjectMeta{
Name: "test-registry",
},
Policies: []string{"image-example.yaml"}, Policies: []string{"image-example.yaml"},
Resources: []string{"resources.yaml"}, Resources: []string{"resources.yaml"},
Results: []v1alpha1.TestResult{{ Results: []v1alpha1.TestResult{{
@ -208,15 +230,10 @@ func TestLoadTest(t *testing.T) {
Result: policyreportv1alpha2.StatusPass, Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images", Rule: "only-allow-trusted-images",
}, },
Resources: []string{"test-pod-with-non-root-user-image"}, Resources: []string{
}, { "test-pod-with-non-root-user-image",
TestResultBase: v1alpha1.TestResultBase{ "test-pod-with-trusted-registry",
Kind: "Pod",
Policy: "images",
Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images",
}, },
Resources: []string{"test-pod-with-trusted-registry"},
}}, }},
}, },
}, },
@ -226,7 +243,13 @@ func TestLoadTest(t *testing.T) {
want: TestCase{ want: TestCase{
Path: "kyverno-test.yaml", Path: "kyverno-test.yaml",
Test: &v1alpha1.Test{ Test: &v1alpha1.Test{
Name: "test-registry", TypeMeta: metav1.TypeMeta{
APIVersion: "cli.kyverno.io/v1alpha1",
Kind: "Test",
},
ObjectMeta: metav1.ObjectMeta{
Name: "test-registry",
},
Policies: []string{"image-example.yaml"}, Policies: []string{"image-example.yaml"},
Resources: []string{"resources.yaml"}, Resources: []string{"resources.yaml"},
Results: []v1alpha1.TestResult{{ Results: []v1alpha1.TestResult{{
@ -236,15 +259,10 @@ func TestLoadTest(t *testing.T) {
Result: policyreportv1alpha2.StatusPass, Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images", Rule: "only-allow-trusted-images",
}, },
Resources: []string{"test-pod-with-non-root-user-image"}, Resources: []string{
}, { "test-pod-with-non-root-user-image",
TestResultBase: v1alpha1.TestResultBase{ "test-pod-with-trusted-registry",
Kind: "Pod",
Policy: "images",
Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images",
}, },
Resources: []string{"test-pod-with-trusted-registry"},
}}, }},
}, },
}, },
@ -288,10 +306,9 @@ func TestLoadTest(t *testing.T) {
return return
} }
got.Err = nil got.Err = nil
tt.want.Fs = tt.fs tt.want.Fs = nil
if !reflect.DeepEqual(got, tt.want) { got.Fs = nil
t.Errorf("LoadTest() = %v, want %v", got, tt.want) assert.DeepEqual(t, tt.want, got)
}
}) })
} }
} }

View file

@ -1,20 +1,24 @@
# A file with no reserved name "assert" or "errors" will be created with the below contents. Can be multiple YAML docs in the same file. ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: add-labels name: add-labels
spec: spec:
admission: true
background: true
rules: rules:
- name: add-labels - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
- Service - Service
- ConfigMap - ConfigMap
- Secret - Secret
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
labels: labels:
foo: bar foo: bar
name: add-labels
validationFailureAction: Audit

View file

@ -1,19 +1,24 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: add-labels name: add-labels
spec: spec:
admission: true
background: true
rules: rules:
- name: add-labels - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
- Service - Service
- ConfigMap - ConfigMap
- Secret - Secret
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
labels: labels:
foo: bar foo: bar
name: add-labels
validationFailureAction: Audit

View file

@ -1,13 +1,16 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: testcase-7fki3 name: testcase-7fki3
spec: spec:
schemaValidation: false admission: true
background: false background: false
validationFailureAction: Enforce
rules: rules:
- name: mutate1 - context:
- name: var1
variable:
value: AAA
match: match:
all: all:
- resources: - resources:
@ -15,31 +18,27 @@ spec:
- v1/ConfigMap - v1/ConfigMap
names: names:
- testcase-7fki3-resource - testcase-7fki3-resource
context: mutate:
- name: var1 foreach:
variable: - list: '[''dummy'']'
value: AAA patchStrategicMerge:
data:
from_loop_1: '{{ var1 || ''!!!variable not resolved!!!'' }}'
- list: '[''dummy'']'
patchStrategicMerge:
data:
from_loop_2: '{{ var1 || ''!!!variable not resolved!!!'' }}'
- list: '[''dummy'']'
patchStrategicMerge:
data:
from_loop_3: '{{ var1 || ''!!!variable not resolved!!!'' }}'
name: mutate1
preconditions: preconditions:
all: all:
- key: "{{ request.operation }}" - key: '{{ request.operation }}'
operator: In operator: AllIn
value: value:
- CREATE - CREATE
- UPDATE - UPDATE
mutate: schemaValidation: false
foreach: validationFailureAction: Enforce
# first loop
- list: "['dummy']"
patchStrategicMerge:
data:
from_loop_1: "{{ var1 || '!!!variable not resolved!!!' }}"
# second loop
- list: "['dummy']"
patchStrategicMerge:
data:
from_loop_2: "{{ var1 || '!!!variable not resolved!!!' }}"
# third loop
- list: "['dummy']"
patchStrategicMerge:
data:
from_loop_3: "{{ var1 || '!!!variable not resolved!!!' }}"

View file

@ -1,29 +1,31 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: disallow-latest-tag-events-creation
annotations: annotations:
policies.kyverno.io/title: Disallow Latest Tag
policies.kyverno.io/category: Best Practices policies.kyverno.io/category: Best Practices
policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead
to unexpected errors if the image changes. A best practice is to use an immutable
tag that maps to a specific version of an application Pod. This policy validates
that the image specifies a tag and that it is not called `latest`. '
policies.kyverno.io/severity: medium policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >- policies.kyverno.io/title: Disallow Latest Tag
The ':latest' tag is mutable and can lead to unexpected errors if the name: disallow-latest-tag-events-creation
image changes. A best practice is to use an immutable tag that maps to
a specific version of an application Pod. This policy validates that the image
specifies a tag and that it is not called `latest`.
spec: spec:
validationFailureAction: Enforce admission: true
background: true background: true
rules: rules:
- name: validate-image-tag - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-image-tag
validate: validate:
message: "An image tag is required (:latest is not allowed)" message: An image tag is required (:latest is not allowed)
pattern: pattern:
spec: spec:
containers: containers:
- image: "!*:latest & *:*" - image: '!*:latest & *:*'
validationFailureAction: Enforce

View file

@ -1,32 +1,36 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: cpol-data-sync-remove-list-element-cpol
annotations: annotations:
policies.kyverno.io/category: Workload Management policies.kyverno.io/category: Workload Management
policies.kyverno.io/description: By default, Kubernetes allows communications across policies.kyverno.io/description: By default, Kubernetes allows communications
all pods within a cluster. Network policies and, a CNI that supports network policies, across all pods within a cluster. Network policies and, a CNI that supports
must be used to restrict communinications. A default NetworkPolicy should be configured network policies, must be used to restrict communinications. A default NetworkPolicy
for each namespace to default deny all ingress traffic to the pods in the namespace. should be configured for each namespace to default deny all ingress traffic
Application teams can then configure additional NetworkPolicy resources to allow to the pods in the namespace. Application teams can then configure additional
desired traffic to application pods from select sources. NetworkPolicy resources to allow desired traffic to application pods from select
sources.
name: cpol-data-sync-remove-list-element-cpol
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: cpol-data-sync-remove-list-element-rule - generate:
match:
resources:
kinds:
- Namespace
generate:
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-netpol
namespace: "{{request.object.metadata.name}}"
synchronize : true
data: data:
spec: spec:
# select all pods in the namespace
podSelector: {} podSelector: {}
policyTypes: policyTypes:
- Ingress - Ingress
kind: NetworkPolicy
name: default-netpol
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
name: cpol-data-sync-remove-list-element-rule
validationFailureAction: Audit

View file

@ -1,33 +1,37 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: cpol-data-sync-remove-list-element-cpol
annotations: annotations:
policies.kyverno.io/category: Workload Management policies.kyverno.io/category: Workload Management
policies.kyverno.io/description: By default, Kubernetes allows communications across policies.kyverno.io/description: By default, Kubernetes allows communications
all pods within a cluster. Network policies and, a CNI that supports network policies, across all pods within a cluster. Network policies and, a CNI that supports
must be used to restrict communinications. A default NetworkPolicy should be configured network policies, must be used to restrict communinications. A default NetworkPolicy
for each namespace to default deny all ingress traffic to the pods in the namespace. should be configured for each namespace to default deny all ingress traffic
Application teams can then configure additional NetworkPolicy resources to allow to the pods in the namespace. Application teams can then configure additional
desired traffic to application pods from select sources. NetworkPolicy resources to allow desired traffic to application pods from select
sources.
name: cpol-data-sync-remove-list-element-cpol
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: cpol-data-sync-remove-list-element-rule - generate:
match:
resources:
kinds:
- Namespace
generate:
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-netpol
namespace: "{{request.object.metadata.name}}"
synchronize : true
data: data:
spec: spec:
# select all pods in the namespace
podSelector: {} podSelector: {}
policyTypes: policyTypes:
- Ingress - Ingress
- Egress - Egress
kind: NetworkPolicy
name: default-netpol
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
name: cpol-data-sync-remove-list-element-rule
validationFailureAction: Audit

View file

@ -1,26 +1,31 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: cpol-data-sync-modify-policy name: cpol-data-sync-modify-policy
spec: spec:
admission: true
background: true
rules: rules:
- name: cpol-data-sync-modify-rule - generate:
match:
resources:
kinds:
- Namespace
names:
- gemini-*
generate:
apiVersion: v1 apiVersion: v1
kind: ResourceQuota
name: default-resourcequota
synchronize: true
namespace: "{{request.object.metadata.name}}"
data: data:
spec: spec:
hard: hard:
requests.cpu: '4' limits.cpu: "8"
requests.memory: '16Gi' limits.memory: 16Gi
limits.cpu: '8' requests.cpu: "4"
limits.memory: '16Gi' requests.memory: 16Gi
kind: ResourceQuota
name: default-resourcequota
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
names:
- gemini-*
name: cpol-data-sync-modify-rule
validationFailureAction: Audit

View file

@ -1,26 +1,31 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: cpol-data-sync-modify-policy name: cpol-data-sync-modify-policy
spec: spec:
admission: true
background: true
rules: rules:
- name: cpol-data-sync-modify-rule - generate:
match:
resources:
kinds:
- Namespace
names:
- gemini-*
generate:
apiVersion: v1 apiVersion: v1
kind: ResourceQuota
name: default-resourcequota
synchronize: true
namespace: "{{request.object.metadata.name}}"
data: data:
spec: spec:
hard: hard:
requests.cpu: '4' limits.cpu: "9"
requests.memory: '16Gi' limits.memory: 16Gi
limits.cpu: '9' requests.cpu: "4"
limits.memory: '16Gi' requests.memory: 16Gi
kind: ResourceQuota
name: default-resourcequota
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
names:
- gemini-*
name: cpol-data-sync-modify-rule
validationFailureAction: Audit

View file

@ -1,17 +1,13 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: generate-update-rule-spec name: generate-update-rule-spec
spec: spec:
generateExisting: false admission: true
background: true
rules: rules:
- name: k-kafka-address - exclude:
match:
any:
- resources:
kinds:
- Namespace
exclude:
any: any:
- resources: - resources:
namespaces: namespaces:
@ -19,21 +15,29 @@ spec:
- default - default
- kube-public - kube-public
- kyverno - kyverno
preconditions:
- key: "{{request.operation}}"
operator: NotEquals
value: DELETE
generate: generate:
synchronize: true
apiVersion: v1 apiVersion: v1
kind: ConfigMap
name: zk-kafka-address
namespace: default
data: data:
data:
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
kind: ConfigMap kind: ConfigMap
metadata: metadata:
labels: labels:
somekey: somevalue somekey: somevalue
data: kind: ConfigMap
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" name: zk-kafka-address
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" namespace: default
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
name: k-kafka-address
preconditions:
all:
- key: '{{request.operation}}'
operator: NotEquals
value: DELETE
validationFailureAction: Audit

View file

@ -1,37 +1,41 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: Policy kind: Policy
metadata: metadata:
name: generate-update-rule-spec name: generate-update-rule-spec
namespace: default namespace: default
spec: spec:
generateExisting: false admission: true
background: true
rules: rules:
- name: k-kafka-address - exclude:
any:
- resources:
kinds:
- NetworkPolicy
generate:
apiVersion: v1
data:
data:
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
kind: ConfigMap
metadata:
labels:
somekey: somevalue
kind: ConfigMap
name: zk-kafka-address
namespace: default
synchronize: true
match: match:
any: any:
- resources: - resources:
kinds: kinds:
- Secret - Secret
exclude: name: k-kafka-address
any:
- resources:
kinds:
- NetworkPolicy
preconditions: preconditions:
- key: "{{request.operation}}" all:
operator: NotEquals - key: '{{request.operation}}'
value: DELETE operator: NotEquals
generate: value: DELETE
synchronize: true validationFailureAction: Audit
apiVersion: v1
kind: ConfigMap
name: zk-kafka-address
namespace: default
data:
kind: ConfigMap
metadata:
labels:
somekey: somevalue
data:
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"

View file

@ -1,19 +1,24 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: add-labels name: add-labels
spec: spec:
admission: true
background: true
rules: rules:
- name: add-labels - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
- Service - Service
- ConfigMap - ConfigMap
- Secret - Secret
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
labels: labels:
foo: bar foo: bar
name: add-labels
validationFailureAction: Audit

View file

@ -1,17 +1,21 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: advertise-resource name: advertise-resource
spec: spec:
admission: true
background: false background: false
rules: rules:
- name: advertise-resource - match:
match: any:
resources: - resources:
kinds: kinds:
- Node/status - Node/status
mutate: mutate:
patchesJson6902: |- patchesJson6902: |-
- op: add - op: add
path: "/status/capacity/example.com~1dongle" path: "/status/capacity/example.com~1dongle"
value: "4" value: "4"
name: advertise-resource
validationFailureAction: Audit

View file

@ -1,32 +1,36 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: foreach-patchstrategicmerge-context-policy name: foreach-patchstrategicmerge-context-policy
spec: spec:
admission: true
background: false background: false
rules: rules:
- name: resolve-image-containers - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
preconditions:
all:
- key: "{{request.operation}}"
operator: In
value:
- CREATE
- UPDATE
mutate: mutate:
foreach: foreach:
- list: "request.object.spec.containers" - context:
context: - configMap:
- name: dictionary name: foreach-patchstrategicmerge-context-configmap
configMap: namespace: foreach-patchstrategicmerge-context-ns
name: foreach-patchstrategicmerge-context-configmap name: dictionary
namespace: foreach-patchstrategicmerge-context-ns list: request.object.spec.containers
patchStrategicMerge: patchStrategicMerge:
spec: spec:
containers: containers:
- name: "{{ element.name }}" - image: '{{ dictionary.data.image }}'
image: "{{ dictionary.data.image }}" name: '{{ element.name }}'
name: resolve-image-containers
preconditions:
all:
- key: '{{request.operation}}'
operator: AllIn
value:
- CREATE
- UPDATE
validationFailureAction: Audit

View file

@ -1,22 +1,24 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: mutate name: mutate
spec: spec:
validationFailureAction: Audit
admission: false admission: false
background: true background: true
rules: rules:
- name: mutate - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
- Service - Service
- ConfigMap - ConfigMap
- Secret - Secret
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
labels: labels:
foo: bar foo: bar
name: mutate
validationFailureAction: Audit

View file

@ -1,20 +1,20 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
annotations: annotations:
policies.kyverno.io/category: Security policies.kyverno.io/category: Security
policies.kyverno.io/description: 'This policy mutates any namespace-scoped Custom policies.kyverno.io/description: 'This policy mutates any namespace-scoped Custom
Resource Definition created by the subjects in the xteam Azure AD group Resource Definition created by the subjects in the xteam Azure AD group and
and adds the label "createdByXteam: true".' adds the label "createdByXteam: true".'
policies.kyverno.io/subject: RBAC policies.kyverno.io/subject: RBAC
policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad group
group
policy.reporter.kyverno.io/minimal: minimal policy.reporter.kyverno.io/minimal: minimal
generation: 1
labels: labels:
aws.cdk.eks/prune-c8b5941ff5f4fe911c5ee96472fda3d1f9866734a7: "" aws.cdk.eks/prune-c8b5941ff5f4fe911c5ee96472fda3d1f9866734a7: ""
name: mutate-xteam-namespace-scoped-crds name: mutate-xteam-namespace-scoped-crds
spec: spec:
admission: true
background: false background: false
rules: rules:
- match: - match:
@ -22,9 +22,9 @@ spec:
- resources: - resources:
kinds: kinds:
- CustomResourceDefinition - CustomResourceDefinition
subjects: subjects:
- kind: Group - kind: Group
name: aad:9b9had99-6k66-2222-9999-8aadb888e888 name: aad:9b9had99-6k66-2222-9999-8aadb888e888
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
@ -39,4 +39,4 @@ spec:
- key: '{{ request.object.spec.scope }}' - key: '{{ request.object.spec.scope }}'
operator: Equals operator: Equals
value: Namespaced value: Namespaced
validationFailureAction: audit validationFailureAction: Audit

View file

@ -1,22 +1,25 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: Policy kind: Policy
metadata: metadata:
name: mutate name: mutate
namespace: default
spec: spec:
validationFailureAction: Audit
admission: false admission: false
background: true background: true
rules: rules:
- name: mutate - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
- Service - Service
- ConfigMap - ConfigMap
- Secret - Secret
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
labels: labels:
foo: bar foo: bar
name: mutate
validationFailureAction: Audit

View file

@ -1,32 +1,35 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: preconditions name: preconditions
spec: spec:
validationFailureAction: Enforce admission: true
background: false background: false
rules: rules:
- name: test - context:
match: - apiCall:
any: method: GET
- resources: urlPath: /api/v1/namespaces/missing/configmaps/nothere
kinds: name: nothere
- Pod match:
context: any:
- name: nothere - resources:
apiCall: kinds:
urlPath: /api/v1/namespaces/missing/configmaps/nothere - Pod
preconditions: name: test
any: preconditions:
- key: "{{ request.name }}" any:
operator: Equals - key: '{{ request.name }}'
value: test message: this pod is not allowed
message: this pod is not allowed operator: Equals
- key: "{{ nothere }}" value: test
operator: Equals - key: '{{ nothere }}'
value: hello message: value mismatch
message: value mismatch operator: Equals
validate: value: hello
pattern: validate:
metadata: pattern:
name: "*" metadata:
name: '*'
validationFailureAction: Enforce

View file

@ -1,35 +1,39 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: check-trustable-images name: check-trustable-images
spec: spec:
validationFailureAction: Enforce admission: true
background: true
rules: rules:
- name: only-allow-trusted-images - match:
match:
any: any:
- resources: - resources:
kinds: kinds:
- Pod - Pod
name: only-allow-trusted-images
preconditions: preconditions:
- key: "{{request.operation}}" all:
- key: '{{request.operation}}'
operator: NotEquals operator: NotEquals
value: DELETE value: DELETE
validate: validate:
message: "images with root user are not allowed"
foreach: foreach:
- list: "request.object.spec.containers" - context:
context: - imageRegistry:
- name: imageData jmesPath: '{user: configData.config.User || '''', registry: registry}'
imageRegistry: reference: '{{ element.image }}'
reference: "{{ element.image }}" name: imageData
jmesPath: "{user: configData.config.User || '', registry: registry}"
deny: deny:
conditions: conditions:
all: all:
- key: "{{ imageData.user }}" - key: '{{ imageData.user }}'
operator: Equals operator: Equals
value: "" value: ""
- key: "{{ imageData.registry }}" - key: '{{ imageData.registry }}'
operator: NotEquals operator: NotEquals
value: "ghcr.io" value: ghcr.io
list: request.object.spec.containers
message: images with root user are not allowed
validationFailureAction: Enforce

View file

@ -1,32 +1,39 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: keyed-basic-policy name: keyed-basic-policy
spec: spec:
validationFailureAction: enforce admission: true
background: false background: false
webhookTimeoutSeconds: 30
failurePolicy: Fail failurePolicy: Fail
rules: rules:
- name: keyed-basic-rule - match:
match:
any: any:
- resources: - resources:
kinds: kinds:
- Pod - Pod
name: keyed-basic-rule
verifyImages: verifyImages:
- imageReferences: - attestors:
- '*'
attestors:
- entries: - entries:
- keys: - keys:
ctlog:
ignoreSCT: true
publicKeys: |- publicKeys: |-
-----BEGIN PUBLIC KEY----- -----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY----- -----END PUBLIC KEY-----
rekor: rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true ignoreTlog: true
ctlog: url: https://rekor.sigstore.dev
ignoreSCT: true signatureAlgorithm: sha256
imageReferences:
- '*'
mutateDigest: true
required: true
useCache: true
verifyDigest: true
validationFailureAction: Enforce
webhookTimeoutSeconds: 30

View file

@ -1,35 +1,42 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: tasks-keyless name: tasks-keyless
spec: spec:
validationFailureAction: Enforce admission: true
webhookTimeoutSeconds: 30 background: true
rules: rules:
- name: verify-images - imageExtractors:
Task:
- path: /spec/steps/*/image
match: match:
any: any:
- resources: - resources:
kinds: kinds:
- tekton.dev/v1beta1/Task - tekton.dev/v1beta1/Task
name: verify-images
preconditions: preconditions:
- key: "{{request.operation}}" all:
operator: NotEquals - key: '{{request.operation}}'
value: DELETE operator: NotEquals
imageExtractors: value: DELETE
Task:
- path: /spec/steps/*/image
verifyImages: verifyImages:
- imageReferences: - attestors:
- "ghcr.io/*"
attestors:
- count: 1 - count: 1
entries: entries:
- keyless: - keyless:
issuer: "https://token.actions.githubusercontent.com"
subject: "https://github.com/*"
rekor:
url: https://rekor.sigstore.dev
ctlog: ctlog:
ignoreSCT: true ignoreSCT: true
issuer: https://token.actions.githubusercontent.com
rekor:
url: https://rekor.sigstore.dev
subject: https://github.com/*
imageReferences:
- ghcr.io/*
mutateDigest: true
required: true required: true
useCache: true
verifyDigest: true
validationFailureAction: Enforce
webhookTimeoutSeconds: 30

View file

@ -1,30 +1,35 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: tasks-complex name: tasks-complex
spec: spec:
validationFailureAction: Enforce admission: true
background: true
rules: rules:
- name: verify-images - imageExtractors:
Task:
- key: name
name: steps
path: /spec/steps/*
value: image
match: match:
any: any:
- resources: - resources:
kinds: kinds:
- tekton.dev/v1beta1/Task - tekton.dev/v1beta1/Task
name: verify-images
preconditions: preconditions:
- key: "{{request.operation}}" all:
operator: NotEquals - key: '{{request.operation}}'
value: DELETE operator: NotEquals
imageExtractors: value: DELETE
Task:
- path: /spec/steps/*
name: steps
value: image
key: name
verifyImages: verifyImages:
- image: "*" - image: '*'
key: |- key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END
-----BEGIN PUBLIC KEY----- PUBLIC KEY----- "
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM mutateDigest: true
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== required: true
-----END PUBLIC KEY----- useCache: true
verifyDigest: true
validationFailureAction: Enforce

View file

@ -1,24 +1,32 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: tasks-no-extractor name: tasks-no-extractor
spec: spec:
validationFailureAction: Enforce admission: true
background: true
rules: rules:
- name: verify-images - match:
match:
any: any:
- resources: - resources:
kinds: kinds:
- tekton.dev/v1beta1/Task - tekton.dev/v1beta1/Task
name: verify-images
preconditions: preconditions:
- key: "{{request.operation}}" all:
operator: NotEquals - key: '{{request.operation}}'
value: DELETE operator: NotEquals
value: DELETE
verifyImages: verifyImages:
- image: "*" - image: '*'
key: |- key: |-
-----BEGIN PUBLIC KEY----- -----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY----- -----END PUBLIC KEY-----
mutateDigest: true
required: true
useCache: true
verifyDigest: true
validationFailureAction: Enforce

View file

@ -1,27 +1,32 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: tasks-simple name: tasks-simple
spec: spec:
validationFailureAction: Enforce admission: true
background: true
rules: rules:
- name: verify-images - imageExtractors:
Task:
- path: /spec/steps/*/image
match: match:
any: any:
- resources: - resources:
kinds: kinds:
- tekton.dev/v1beta1/Task - tekton.dev/v1beta1/Task
name: verify-images
preconditions: preconditions:
- key: "{{request.operation}}" all:
operator: NotEquals - key: '{{request.operation}}'
value: DELETE operator: NotEquals
imageExtractors: value: DELETE
Task:
- path: /spec/steps/*/image
verifyImages: verifyImages:
- image: "*" - image: '*'
key: |- key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END
-----BEGIN PUBLIC KEY----- PUBLIC KEY----- "
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM mutateDigest: true
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== required: true
-----END PUBLIC KEY----- useCache: true
verifyDigest: true
validationFailureAction: Enforce

View file

@ -4,26 +4,28 @@ kind: ClusterPolicy
metadata: metadata:
name: path-canonicalize name: path-canonicalize
spec: spec:
validationFailureAction: enforce admission: true
background: false background: false
rules: rules:
- name: disallow-mount-containerd-sock - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: disallow-mount-containerd-sock
validate: validate:
foreach: foreach:
- list: "request.object.spec.volumes[]" - deny:
deny:
conditions: conditions:
any: any:
- key: "{{ path_canonicalize(element.hostPath.path) }}" - key: '{{ path_canonicalize(element.hostPath.path) }}'
operator: Equals operator: Equals
value: "/var/run/containerd/containerd.sock" value: /var/run/containerd/containerd.sock
- key: "{{ path_canonicalize(element.hostPath.path) }}" - key: '{{ path_canonicalize(element.hostPath.path) }}'
operator: Equals operator: Equals
value: "/run/containerd/containerd.sock" value: /run/containerd/containerd.sock
- key: "{{ path_canonicalize(element.hostPath.path) }}" - key: '{{ path_canonicalize(element.hostPath.path) }}'
operator: Equals operator: Equals
value: "\\var\\run\\containerd\\containerd.sock" value: \var\run\containerd\containerd.sock
list: request.object.spec.volumes[]
validationFailureAction: Enforce

View file

@ -1,16 +1,21 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: mutate-pod-disable-automoutingapicred name: mutate-pod-disable-automoutingapicred
spec: spec:
admission: true
background: true
rules: rules:
- name: pod-disable-automoutingapicred - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
spec: spec:
(serviceAccountName): "*" (serviceAccountName): '*'
automountServiceAccountToken: false automountServiceAccountToken: false
name: pod-disable-automoutingapicred
validationFailureAction: Audit

View file

@ -1,34 +1,36 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: resolve-image name: resolve-image
spec: spec:
admission: true
background: false background: false
rules: rules:
- name: resolve-image-containers - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
preconditions:
all:
- key: "{{request.operation}}"
operator: In
value:
- CREATE
- UPDATE
mutate: mutate:
foreach: foreach:
- list: "request.object.spec.containers" - context:
context: - configMap:
- name: dictionary name: some-config-map
configMap: namespace: some-namespace
# Name of the ConfigMap which will be looked up name: dictionary
name: some-config-map list: request.object.spec.containers
# Namespace in which this ConfigMap is stored
namespace: some-namespace
patchStrategicMerge: patchStrategicMerge:
spec: spec:
containers: containers:
- name: "{{ element.name }}" - image: '{{ dictionary.data.image }}'
image: "{{ dictionary.data.image }}" name: '{{ element.name }}'
name: resolve-image-containers
preconditions:
all:
- key: '{{request.operation}}'
operator: AllIn
value:
- CREATE
- UPDATE
validationFailureAction: Audit

View file

@ -1,40 +1,45 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: check-cpu-memory name: check-cpu-memory
spec: spec:
admission: true
background: true
rules: rules:
- name: check-defined - match:
match: any:
resources: - resources:
kinds: kinds:
- Deployment - Deployment
name: check-defined
validate: validate:
message: "Resource limits are required for CPU and memory" message: Resource limits are required for CPU and memory
pattern: pattern:
spec: spec:
template: template:
spec: spec:
containers: containers:
- name: "?*" - name: ?*
resources: resources:
limits: limits:
memory: "?*" cpu: ?*
cpu: "?*" memory: ?*
- match:
- name: check-cpu any:
match: - resources:
resources: kinds:
kinds: - Deployment
- Deployment name: check-cpu
validate: validate:
message: "CPU request should be less than 4" message: CPU request should be less than 4
pattern: pattern:
spec: spec:
template: template:
spec: spec:
containers: containers:
- name: "*" - name: '*'
resources: resources:
requests: requests:
cpu: "<4m" cpu: <4m
validationFailureAction: Audit

View file

@ -1,19 +1,24 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: check-host-path name: check-host-path
spec: spec:
admission: true
background: true
rules: rules:
- name: check-host-path - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: check-host-path
validate: validate:
message: "Host path is not allowed" message: Host path is not allowed
pattern: pattern:
spec: spec:
volumes: volumes:
- name: "*" - hostPath:
hostPath:
path: "" path: ""
name: '*'
validationFailureAction: Audit

View file

@ -1,22 +1,25 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: image-pull-policy name: image-pull-policy
spec: spec:
admission: true
background: true
rules: rules:
- name: image-pull-policy - match:
match: any:
resources: - resources:
kinds: kinds:
- Deployment - Deployment
name: image-pull-policy
validate: validate:
message: "Image tag ':latest' requires imagePullPolicy 'Always'" message: Image tag ':latest' requires imagePullPolicy 'Always'
pattern: pattern:
spec: spec:
template: template:
spec: spec:
containers: containers:
# select images which end with :latest - (image): '*latest'
- (image): "*latest"
# require that the imagePullPolicy is "Always"
imagePullPolicy: Always imagePullPolicy: Always
validationFailureAction: Audit

View file

@ -1,26 +1,27 @@
apiVersion : kyverno.io/v1 ---
kind : ClusterPolicy apiVersion: kyverno.io/v1
metadata : kind: ClusterPolicy
name : validation-example2 metadata:
spec : name: validation-example2
spec:
admission: true
background: true
rules: rules:
- name: check-memory_requests_link_in_yaml - match:
match: any:
resources: - resources:
# Kind specifies one or more resource types to match
kinds: kinds:
- Deployment - Deployment
# Name is optional and can use wildcards name: '*'
name: "*" name: check-memory_requests_link_in_yaml
# Selector is optional validate:
selector: pattern:
validate: spec:
pattern: containers:
spec: - name: '*'
containers: resources:
- name: "*" limits:
resources: memory: 2048Mi
requests: requests:
memory: "$(<=/spec/containers/0/resources/limits/memory)" memory: $(<=/spec/containers/0/resources/limits/memory)
limits: validationFailureAction: Audit
memory: "2048Mi"

View file

@ -1,26 +1,27 @@
apiVersion : kyverno.io/v1 ---
kind : ClusterPolicy apiVersion: kyverno.io/v1
metadata : kind: ClusterPolicy
name : validation-example2 metadata:
spec : name: validation-example2
spec:
admission: true
background: true
rules: rules:
- name: check-memory_requests_link_in_yaml_relative - match:
match: any:
resources: - resources:
# Kind specifies one or more resource types to match
kinds: kinds:
- Deployment - Deployment
# Name is optional and can use wildcards name: '*'
name: "*" name: check-memory_requests_link_in_yaml_relative
# Selector is optional validate:
selector: pattern:
validate: spec:
pattern: containers:
spec: - (name): '*'
containers: resources:
- (name): "*" lim(its:
resources: mem)ory: 2048Mi
requests: requests:
memory: "$(<=./../../lim(its/mem)ory)" memory: $(<=./../../lim(its/mem)ory)
lim(its: validationFailureAction: Audit
mem)ory: "2048Mi"

View file

@ -1,34 +1,35 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: check-kernel
annotations: annotations:
policies.kyverno.io/title: Check Node for CVE-2022-0185
policies.kyverno.io/category: Other
policies.kyverno.io/severity: high
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.23" kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/subject: Node kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/description: >- policies.kyverno.io/category: Other
Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. policies.kyverno.io/description: Linux CVE-2022-0185 can allow a container escape
The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. in Kubernetes if left unpatched. The affected Linux kernel versions, at this
For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185.
This policy runs in background mode and flags an entry in the ClusterPolicyReport This policy runs in background mode and flags an entry in the ClusterPolicyReport
if any Node is reporting one of the affected kernel versions. if any Node is reporting one of the affected kernel versions.
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: high
policies.kyverno.io/subject: Node
policies.kyverno.io/title: Check Node for CVE-2022-0185
name: check-kernel
spec: spec:
validationFailureAction: audit admission: true
background: true background: true
rules: rules:
- name: kernel-validate - match:
match:
any: any:
- resources: - resources:
kinds: kinds:
- Node - Node
name: kernel-validate
validate: validate:
message: "Kernel is vulnerable to CVE-2022-0185." message: Kernel is vulnerable to CVE-2022-0185.
pattern: pattern:
status: status:
nodeInfo: nodeInfo:
kernelVersion: "!5.10.84-1 & !5.15.5-2" kernelVersion: '!5.10.84-1 & !5.15.5-2'
validationFailureAction: Audit

View file

@ -1,16 +1,21 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: check-node-port name: check-node-port
spec: spec:
admission: true
background: true
rules: rules:
- name: check-node-port - match:
match: any:
resources: - resources:
kinds: kinds:
- Service - Service
name: check-node-port
validate: validate:
message: "NodePort type is not allowed" message: NodePort type is not allowed
pattern: pattern:
spec: spec:
type: "!NodePort" type: '!NodePort'
validationFailureAction: Audit

View file

@ -1,21 +1,26 @@
apiVersion : kyverno.io/v1 ---
kind : ClusterPolicy apiVersion: kyverno.io/v1
metadata : kind: ClusterPolicy
name : check-non-root metadata:
spec : name: check-non-root
spec:
admission: true
background: true
rules: rules:
- name: check-non-root - match:
match: any:
resources: - resources:
kinds: kinds:
- Deployment - Deployment
- StatefuleSet - StatefuleSet
- DaemonSet - DaemonSet
validate: name: check-non-root
message: "Root user is not allowed" validate:
pattern: message: Root user is not allowed
spec: pattern:
template: spec:
spec: template:
securityContext: spec:
runAsNonRoot: true securityContext:
runAsNonRoot: true
validationFailureAction: Audit

View file

@ -1,36 +1,42 @@
apiVersion : kyverno.io/v1 ---
kind : ClusterPolicy apiVersion: kyverno.io/v1
metadata : kind: ClusterPolicy
metadata:
name: check-probe-exists name: check-probe-exists
spec: spec:
admission: true
background: true
rules: rules:
- name: check-liveness-probe-exists - match:
match: any:
resources: - resources:
kinds : kinds:
- StatefulSet - StatefulSet
name: check-liveness-probe-exists
validate: validate:
message: "a livenessProbe is required" message: a livenessProbe is required
pattern: pattern:
spec: spec:
template: template:
spec: spec:
containers: containers:
- name: "*" - livenessProbe:
livenessProbe: periodSeconds: '>0'
periodSeconds: ">0" name: '*'
- name: check-readiness-probe-exists - match:
match: any:
resources: - resources:
kinds : kinds:
- StatefulSet - StatefulSet
name: check-readiness-probe-exists
validate: validate:
message: "a readinessProbe is required" message: a readinessProbe is required
pattern: pattern:
spec: spec:
template: template:
spec: spec:
containers: containers:
- name: "*" - name: '*'
readinessProbe: readinessProbe:
periodSeconds: ">0" periodSeconds: '>0'
validationFailureAction: Audit

View file

@ -1,36 +1,42 @@
apiVersion : kyverno.io/v1 ---
kind : ClusterPolicy apiVersion: kyverno.io/v1
metadata : kind: ClusterPolicy
metadata:
name: check-probe-intervals name: check-probe-intervals
spec: spec:
admission: true
background: true
rules: rules:
- name: check-probe-intervals - match:
match: any:
resources: - resources:
kinds : kinds:
- Deployment - Deployment
name: check-probe-intervals
validate: validate:
message: "livenessProbe must be > 10s" message: livenessProbe must be > 10s
pattern: pattern:
spec: spec:
template: template:
spec: spec:
containers: containers:
- name: "*" - livenessProbe:
livenessProbe: periodSeconds: '>10'
periodSeconds: ">10" name: '*'
- name: check-probe-intervals - match:
match: any:
resources: - resources:
kinds : kinds:
- Deployment - Deployment
name: check-probe-intervals
validate: validate:
message: "readinessProbe must be > 10s" message: readinessProbe must be > 10s
pattern: pattern:
spec: spec:
template: template:
spec: spec:
containers: containers:
- name: "*" - name: '*'
readinessProbe: readinessProbe:
periodSeconds: ">10" periodSeconds: '>10'
validationFailureAction: Audit

View file

@ -1,22 +1,26 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: check-registries name: check-registries
spec: spec:
admission: true
background: true
rules: rules:
- name: check-registries - match:
match: any:
resources: - resources:
kinds: kinds:
- Deployment - Deployment
- StatefulSet - StatefulSet
name: check-registries
validate: validate:
message: "Registry is not allowed" message: Registry is not allowed
pattern: pattern:
spec: spec:
template: template:
spec: spec:
containers: containers:
- name: "*" - image: '*/nirmata/* | https://private.registry.io/*'
# Check allowed registries name: '*'
image: "*/nirmata/* | https://private.registry.io/*" validationFailureAction: Audit