diff --git a/samples/DefaultDenyAllIngress.md b/samples/DefaultDenyAllIngress.md index bf43393c97..6620530e03 100644 --- a/samples/DefaultDenyAllIngress.md +++ b/samples/DefaultDenyAllIngress.md @@ -1,6 +1,8 @@ # Default deny all ingress traffic -By default, Kubernetes allows all ingress and egress traffic to and from pods within a cluster. A "default" `NetworkPolicy` resource for a namespace should be used to deny all ingress traffic to the pods in that namespace. Additional `NetworkPolicy` resources can then be configured to allow desired traffic to application pods. +By default, Kubernetes allows all ingress and egress traffic to and from pods within a cluster. + +A "default" `NetworkPolicy` should be configured for each namespace to default deny all ingress traffic to the pods in that namespace. Later, the application team can configure additional `NetworkPolicy` resources to allow desired traffic to application pods from select sources. ## Policy YAML diff --git a/samples/DisablePrivilegedContainers.md b/samples/DisablePrivilegedContainers.md index f437f825ff..fe8732abe7 100644 --- a/samples/DisablePrivilegedContainers.md +++ b/samples/DisablePrivilegedContainers.md @@ -1,8 +1,8 @@ # Disable privileged containers -Privileged containers are defined as any container where the container uid 0 is mapped to the host’s uid 0. A process within privileged containers can get unrestricted host access. With `securityContext.allowPrivilegeEscalation` enabled a process can gain privileges from its parent. +Privileged containers are defined as any container where the container uid 0 is mapped to the host’s uid 0. A process within a privileged container can get unrestricted host access. With `securityContext.allowPrivilegeEscalation` enabled, a process can gain privileges from its parent. -To disallow privileged containers and the escalation of privileges it is recommended to run pod containers with `securityContext.priveleged` as `false` and `allowPrivilegeEscalation` as `false`. +To disallow privileged containers and the privilege escalation it is recommended to run pod containers with `securityContext.priveleged` set to `false` and `allowPrivilegeEscalation` set to `false`. ## Policy YAML diff --git a/samples/DisallowDefaultNamespace.md b/samples/DisallowDefaultNamespace.md index dfb771a5e0..a15719678d 100644 --- a/samples/DisallowDefaultNamespace.md +++ b/samples/DisallowDefaultNamespace.md @@ -1,6 +1,6 @@ # Disallow use of default namespace -Namespaces are a way to segment and isolate cluster resources across multiple users. When multiple users or teams are sharing a single cluster, it is recommended to isolate different workloads and restrict use of the default namespace. +Kubernetes namespaces provide a way to segment and isolate cluster resources across multiple applictaions and users. It is recommended that each workload be isolated in its own namespace and that use of the default namespace be not allowed. ## Policy YAML diff --git a/samples/DisallowHostFS.md b/samples/DisallowHostFS.md index 1c0e731e7a..816c32fc52 100644 --- a/samples/DisallowHostFS.md +++ b/samples/DisallowHostFS.md @@ -1,6 +1,6 @@ # Disallow use of host filesystem -The volume of type `hostpath` binds pods to a specific host, and data persisted in the volume is dependent on the life of the node. In a shared cluster, it is recommeded that applications are independent of hosts. +The volume of type `hostpath` allows pods to use host directories and volume mounted to a host path. This binds pods to a specific host, and data persisted in the volume is coupled to the life of the node. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes). ## Policy YAML diff --git a/samples/DisallowHostNetworkPort.md b/samples/DisallowHostNetworkPort.md index e871a60563..0a0bc9a06c 100644 --- a/samples/DisallowHostNetworkPort.md +++ b/samples/DisallowHostNetworkPort.md @@ -1,7 +1,7 @@ # Disallow `hostNetwork` and `hostPort` -Using `hostPort` and `hostNetwork` allows pods to share the host network stack, allowing potential snooping of network traffic from an application pod. +Using `hostPort` and `hostNetwork` allows pods to share the host networking stack allowing potential snooping of network traffic across application pods. ## Policy YAML diff --git a/samples/DisallowHostPIDIPC.md b/samples/DisallowHostPIDIPC.md index d25c84c5da..8705b03e5b 100644 --- a/samples/DisallowHostPIDIPC.md +++ b/samples/DisallowHostPIDIPC.md @@ -1,8 +1,8 @@ # Disallow `hostPID` and `hostIPC` -Sharing the host's PID namespace allows visibility of process on the host, potentially exposing process information. +Sharing the host's PID namespace allows an application pod to gain visibility of processes on the host, potentially exposing sensitive information. Sharing the host's IPC namespace also allows the container process to communicate with processes on the host. -Sharing the host's IPC namespace allows the container process to communicate with processes on the host. To avoid pod container from having visibility to host process space, validate that `hostPID` and `hostIPC` are set to `false`. +To avoid pod container from having visibility to host process space, validate that `hostPID` and `hostIPC` are set to `false`. ## Policy YAML diff --git a/samples/DisallowLatestTag.md b/samples/DisallowLatestTag.md index ba5707c2d7..20a10e08d0 100644 --- a/samples/DisallowLatestTag.md +++ b/samples/DisallowLatestTag.md @@ -1,6 +1,6 @@ # Disallow latest image tag -The `:latest` tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod. +The `:latest` tag is mutable and can lead to unexpected errors if the upstream image changes. A best practice is to use an immutable tag that maps to a specific and tested version of an application pod. ## Policy YAML diff --git a/samples/DisallowUnknownRegistries.md b/samples/DisallowUnknownRegistries.md index fb3221a90b..313a442b0c 100644 --- a/samples/DisallowUnknownRegistries.md +++ b/samples/DisallowUnknownRegistries.md @@ -1,6 +1,8 @@ # Disallow unknown image registries -Images from unknown registries may not be scanned and secured. Requiring use of known registries helps reduce threat exposure. You can customize this policy to allow image registries that you trust. +Images from unknown registries may not be scanned and secured. Requiring the use of trusted registries helps reduce threat exposure. + +You can customize this policy to allow image registries that you trust. ## Policy YAML diff --git a/samples/README.md b/samples/README.md index d7c0fb0439..0ca7783c50 100644 --- a/samples/README.md +++ b/samples/README.md @@ -26,7 +26,7 @@ The policies are mostly validation rules in `audit` mode i.e. your existing work These policies are highly recommended. 1. [Run as non-root user](RunAsNonRootUser.md) -2. [Disable privilege escalation](DisablePrivilegedContainers.md) +2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md) 3. [Require Read-only root filesystem](RequireReadOnlyFS.md) 4. [Disallow use of host filesystem](DisallowHostFS.md) 5. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md) @@ -36,7 +36,7 @@ These policies are highly recommended. 9. [Disallow use of default namespace](DisallowDefaultNamespace.md) 10. [Require namespace limits and quotas](RequireNSLimitsQuotas.md) 11. [Require pod resource requests and limits](RequirePodRequestsLimits.md) -12. [Require pod `livenessProbe` and `readinessProbe`]() +12. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) 13. [Default deny all ingress traffic](DefaultDenyAllIngress.md) diff --git a/samples/RequireNSLimitsQuotas.md b/samples/RequireNSLimitsQuotas.md index ce920e6d28..64251449d8 100644 --- a/samples/RequireNSLimitsQuotas.md +++ b/samples/RequireNSLimitsQuotas.md @@ -1,6 +1,10 @@ # Configure namespace limits and quotas -To limit the number of objects, as well as the total amount of compute that may be consumed by an application, it is important to create resource limits and quotas for each namespace. +To limit the number of resources like CPU and memory, as well as objects that may be consumed by workloads in a namespace, it is important to configure resource limits and quotas for each namespace. + +## Additional Information + +* [Resource Quota](https://kubernetes.io/docs/concepts/policy/resource-quotas/) ## Policy YAML @@ -29,7 +33,3 @@ spec: limits.memory: "*" ```` -## Additional Information - -* [Resource Quota](https://kubernetes.io/docs/concepts/policy/resource-quotas/) - diff --git a/samples/RequirePodProbes.md b/samples/RequirePodProbes.md index d3b88ea70b..1b20dce2d7 100644 --- a/samples/RequirePodProbes.md +++ b/samples/RequirePodProbes.md @@ -1,6 +1,6 @@ # Require `livenessProbe` and `readinessProbe` -For each pod, a livenessProbe is carried out by the kubelet to determine when to restart a container. A readinessProbe is used by services and deployments to determine if the pod is ready to recieve network traffic. +For each pod, a `livenessProbe` is carried out by the kubelet to determine if containers are running and when to restart the pod. A `readinessProbe` is used by services and deployments to determine if the pod is ready to recieve network traffic. Both liveness and readiness probes need to be configured to manage the pod lifecycle during restarts and upgrades. diff --git a/samples/RequirePodRequestsLimits.md b/samples/RequirePodRequestsLimits.md index c70d3eee82..140ca0a0e4 100644 --- a/samples/RequirePodRequestsLimits.md +++ b/samples/RequirePodRequestsLimits.md @@ -1,6 +1,8 @@ # Require pod resource requests and limits -As application workloads share cluster resources, it is important to limit resources requested and consumed by each pod. It is recommended to require `resources.requests` and `resources.limits` per pod. If a namespace level request or limit is specified, defaults will automatically be applied to each pod based on the `LimitRange` configuration. +Application workloads share cluster resources. Hence, it is important to manage resources assigned for each pod. It is recommended that `resources.requests` and `resources.limits` are configured per pod and include CPU and memory resources. Other resources such as, GPUs, may also be specified as needed. + +If a namespace level request or limit is specified, defaults will automatically be applied to each pod based on the `LimitRange` configuration. ## Policy YAML diff --git a/samples/RequireReadOnlyFS.md b/samples/RequireReadOnlyFS.md index 3d4bf832bc..6f83c2e09e 100644 --- a/samples/RequireReadOnlyFS.md +++ b/samples/RequireReadOnlyFS.md @@ -1,6 +1,6 @@ # Require Read-only root filesystem -A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system. +A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on mounted volumes that can persist state even if the container exits. An immutable root filesystem can also prevent malicious binaries from writing to the host system. ## Policy YAML diff --git a/samples/RestrictNodePort.md b/samples/RestrictNodePort.md deleted file mode 100644 index 4ac734fe6f..0000000000 --- a/samples/RestrictNodePort.md +++ /dev/null @@ -1,26 +0,0 @@ -# Restrict service type `NodePort` - -A Kubernetes service of type NodePort uses a host port to receive traffic from any source. A `NetworkPolicy` resource cannot be used to control traffic to host ports. Although `NodePort` services can be useful, their use must be limited to services with additional upstream security checks. - -## Policy YAML - -[disallow_node_port.yaml](best_practices/disallow_node_port.yaml) - -````yaml -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: disallow-node-port -spec: - rules: - - name: disallow-node-port - match: - resources: - kinds: - - Service - validate: - message: "Disallow service of type NodePort" - pattern: - spec: - type: "!NodePort" -```` \ No newline at end of file diff --git a/samples/RunAsNonRootUser.md b/samples/RunAsNonRootUser.md index 7629ee759b..3458e1592c 100644 --- a/samples/RunAsNonRootUser.md +++ b/samples/RunAsNonRootUser.md @@ -1,6 +1,10 @@ # Run as non-root user -By default, processes in a container run as a root user (uid 0). To prevent potential compromise of container hosts, specify a least privileged user ID when building the container image and require that application containers run as non root users i.e. set `runAsNonRoot` to `true`. +By default, all processes in a container run as the root user (uid 0). To prevent potential compromise of container hosts, specify a non-root and least privileged user ID when building the container image and require that application containers run as non root users i.e. set `runAsNonRoot` to `true`. + +## Additional Information + +* [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) ## Policy YAML @@ -30,8 +34,3 @@ spec: securityContext: runAsNonRoot: true ```` - - -## Additional Information - -* [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)