1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 20:20:22 +00:00

chore: apply policy fixes (#8427)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-09-18 00:24:26 +02:00 committed by GitHub
parent 3a61f2c6b7
commit 7562bea6db
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
40 changed files with 996 additions and 814 deletions

View file

@ -1,25 +1,35 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: check-image
annotations: annotations:
pod-policies.kyverno.io/autogen-controllers: none pod-policies.kyverno.io/autogen-controllers: none
name: check-image
spec: spec:
admission: true
background: true
rules: rules:
- name: verify-signature - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
verifyImages: name: verify-signature
- imageReferences: verifyImages:
- "*" - attestors:
attestors: - count: 1
- count: 1 entries:
entries: - keys:
- keys: publicKeys: |-
publicKeys: |- -----BEGIN PUBLIC KEY-----
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFN8gGjQua2g8N+aLx3Eff+/j5HxL
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFN8gGjQua2g8N+aLx3Eff+/j5HxL bV+H2z50/0A4d8XyMUvizPQBtcgei43pqLj1850m3wSwI08z2+6zT1QaEg==
bV+H2z50/0A4d8XyMUvizPQBtcgei43pqLj1850m3wSwI08z2+6zT1QaEg== -----END PUBLIC KEY-----
-----END PUBLIC KEY----- signatureAlgorithm: sha256
imageReferences:
- '*'
mutateDigest: true
required: true
useCache: true
verifyDigest: true
validationFailureAction: Audit

View file

@ -1,21 +1,22 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: limit-configmap-for-sa
annotations: annotations:
policies.kyverno.io/title: Limit ConfigMap to ServiceAccounts for a User kyverno.io/kubernetes-version: 1.20-1.23
policies.kyverno.io/category: Other
policies.kyverno.io/severity: medium
kyverno.io/kyverno-version: 1.6.0 kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.20-1.23" policies.kyverno.io/category: Other
policies.kyverno.io/description: This policy shows how to restrict certain operations
on specific ConfigMaps by ServiceAccounts.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: ConfigMap, ServiceAccount policies.kyverno.io/subject: ConfigMap, ServiceAccount
policies.kyverno.io/description: This policy shows how to restrict certain operations on specific ConfigMaps by ServiceAccounts. policies.kyverno.io/title: Limit ConfigMap to ServiceAccounts for a User
name: limit-configmap-for-sa
spec: spec:
admission: true
background: false background: false
validationFailureAction: audit
rules: rules:
- name: limit-configmap-for-sa-developer - match:
match:
any: any:
- resources: - resources:
kinds: kinds:
@ -31,25 +32,28 @@ spec:
- kind: ServiceAccount - kind: ServiceAccount
name: another-developer name: another-developer
namespace: another-namespace namespace: another-namespace
name: limit-configmap-for-sa-developer
preconditions: preconditions:
all: all:
- key: "{{request.object.metadata.namespace}}" - key: '{{request.object.metadata.namespace}}'
operator: In operator: AllIn
value: value:
- "any-namespace" - any-namespace
- "another-namespace" - another-namespace
- key: "{{request.object.metadata.name}}" - key: '{{request.object.metadata.name}}'
operator: In operator: AllIn
value: value:
- "any-configmap-name-good" - any-configmap-name-good
- "another-configmap-name" - another-configmap-name
validate: validate:
message: "{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} resource is protected. Admin or allowed users can change the resource"
deny: deny:
conditions: conditions:
all: all:
- key: "{{request.operation}}" - key: '{{request.operation}}'
operator: "In" operator: In
value: value:
- "UPDATE" - UPDATE
- "CREATE" - CREATE
message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}}
resource is protected. Admin or allowed users can change the resource'
validationFailureAction: Audit

View file

@ -1,40 +1,44 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: pod-requirements
annotations: annotations:
pod-policies.kyverno.io/autogen-controllers: none pod-policies.kyverno.io/autogen-controllers: none
policies.kyverno.io/severity: medium
policies.kyverno.io/category: Pod Security Standards (Restricted) policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/severity: medium
name: pod-requirements
spec: spec:
admission: true
background: false background: false
validationFailureAction: audit
rules: rules:
- name: pods-require-account - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: pods-require-account
validate: validate:
message: User pods must include an account for charging message: User pods must include an account for charging
pattern: pattern:
metadata: metadata:
labels: labels:
account: "*?" account: '*?'
- name: pods-require-limits - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: pods-require-limits
validate: validate:
message: CPU and memory resource requests and limits are required for user pods message: CPU and memory resource requests and limits are required for user pods
pattern: pattern:
spec: spec:
containers: containers:
- resources: - resources:
requests:
memory: "?*"
cpu: "?*"
limits: limits:
memory: "?*" cpu: ?*
cpu: "?*" memory: ?*
requests:
cpu: ?*
memory: ?*
validationFailureAction: Audit

View file

@ -1,41 +1,45 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: Policy kind: Policy
metadata: metadata:
name: pod-requirements
namespace: test
annotations: annotations:
pod-policies.kyverno.io/autogen-controllers: none pod-policies.kyverno.io/autogen-controllers: none
policies.kyverno.io/severity: medium
policies.kyverno.io/category: Pod Security Standards (Restricted) policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/severity: medium
name: pod-requirements
namespace: test
spec: spec:
admission: true
background: false background: false
validationFailureAction: audit
rules: rules:
- name: pods-require-account - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: pods-require-account
validate: validate:
message: User pods must include an account for charging message: User pods must include an account for charging
pattern: pattern:
metadata: metadata:
labels: labels:
account: "*?" account: '*?'
- name: pods-require-limits - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: pods-require-limits
validate: validate:
message: CPU and memory resource requests and limits are required for user pods message: CPU and memory resource requests and limits are required for user pods
pattern: pattern:
spec: spec:
containers: containers:
- resources: - resources:
requests:
memory: "?*"
cpu: "?*"
limits: limits:
memory: "?*" cpu: ?*
cpu: "?*" memory: ?*
requests:
cpu: ?*
memory: ?*
validationFailureAction: Audit

View file

@ -1,39 +1,44 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: add-networkpolicy
annotations: annotations:
policies.kyverno.io/category: Workload Management policies.kyverno.io/category: Workload Management
policies.kyverno.io/description: By default, Kubernetes allows communications across policies.kyverno.io/description: By default, Kubernetes allows communications
all pods within a cluster. Network policies and, a CNI that supports network policies, across all pods within a cluster. Network policies and, a CNI that supports
must be used to restrict communinications. A default NetworkPolicy should be configured network policies, must be used to restrict communinications. A default NetworkPolicy
for each namespace to default deny all ingress traffic to the pods in the namespace. should be configured for each namespace to default deny all ingress traffic
Application teams can then configure additional NetworkPolicy resources to allow to the pods in the namespace. Application teams can then configure additional
desired traffic to application pods from select sources. NetworkPolicy resources to allow desired traffic to application pods from select
sources.
name: add-networkpolicy
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: default-deny-ingress - exclude:
match: any:
resources: - resources:
kinds: namespaces:
- Namespace - kube-system
name: "*" - default
exclude: - kube-public
resources: - kyverno
namespaces: generate:
- "kube-system"
- "default"
- "kube-public"
- "kyverno"
generate:
kind: NetworkPolicy
name: default-deny-ingress
namespace: "{{request.object.metadata.name}}"
synchronize : true
data: data:
spec: spec:
# select all pods in the namespace
podSelector: {} podSelector: {}
policyTypes: policyTypes:
- Ingress - Ingress
kind: NetworkPolicy
name: default-deny-ingress
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
name: '*'
name: default-deny-ingress
validationFailureAction: Audit

View file

@ -1,50 +1,46 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: add-ns-quota
annotations: annotations:
policies.kyverno.io/category: Workload Isolation policies.kyverno.io/category: Workload Isolation
policies.kyverno.io/description: To limit the number of objects, as well as the policies.kyverno.io/description: To limit the number of objects, as well as the
total amount of compute that may be consumed by a single namespace, create total amount of compute that may be consumed by a single namespace, create a
a default resource quota for each namespace. default resource quota for each namespace.
name: add-ns-quota
spec: spec:
admission: true
background: true
rules: rules:
- name: generate-resourcequota - exclude:
match: any:
resources: - resources:
kinds: namespaces:
- Namespace - kube-system
exclude: - default
resources: - kube-public
namespaces: - kyverno
- "kube-system"
- "default"
- "kube-public"
- "kyverno"
generate: generate:
apiVersion: v1 apiVersion: v1
kind: ResourceQuota
name: default-resourcequota
synchronize : true
namespace: "{{request.object.metadata.name}}"
data: data:
spec: spec:
hard: hard:
requests.cpu: '4' limits.cpu: "4"
requests.memory: '16Gi' limits.memory: 16Gi
limits.cpu: '4' requests.cpu: "4"
limits.memory: '16Gi' requests.memory: 16Gi
- name: generate-limitrange kind: ResourceQuota
name: default-resourcequota
namespace: '{{request.object.metadata.name}}'
synchronize: true
match: match:
resources: any:
kinds: - resources:
- Namespace kinds:
generate: - Namespace
name: generate-resourcequota
- generate:
apiVersion: v1 apiVersion: v1
kind: LimitRange
name: default-limitrange
synchronize : true
namespace: "{{request.object.metadata.name}}"
data: data:
spec: spec:
limits: limits:
@ -55,3 +51,14 @@ spec:
cpu: 200m cpu: 200m
memory: 256Mi memory: 256Mi
type: Container type: Container
kind: LimitRange
name: default-limitrange
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
name: generate-limitrange
validationFailureAction: Audit

View file

@ -1,38 +1,45 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: add-safe-to-evict
annotations: annotations:
policies.kyverno.io/category: Workload Management policies.kyverno.io/category: Workload Management
policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict pods that policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict
use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation pods that use hostPath or emptyDir volumes. To allow eviction of these pods,
cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods. the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added
spec: to the pods.
rules: name: add-safe-to-evict
- name: annotate-empty-dir spec:
match: admission: true
resources: background: true
kinds: rules:
- Pod - match:
mutate: any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
annotations: annotations:
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true" +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
spec: spec:
volumes: volumes:
- <(emptyDir): {} - <(emptyDir): {}
- name: annotate-host-path name: annotate-empty-dir
match: - match:
resources: any:
kinds: - resources:
- Pod kinds:
mutate: - Pod
mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
annotations: annotations:
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true" +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
spec: spec:
volumes: volumes:
- hostPath: - hostPath:
<(path): "*" <(path): '*'
name: annotate-host-path
validationFailureAction: Audit

View file

@ -1,26 +1,31 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: disallow-bind-mounts
annotations: annotations:
policies.kyverno.io/category: Workload Isolation policies.kyverno.io/category: Workload Isolation
policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind policies.kyverno.io/description: The volume of type `hostPath` allows pods to
mounts (i.e. directories and volumes mounted to a host path) in containers. Using host use host bind mounts (i.e. directories and volumes mounted to a host path) in
resources can be used to access shared data or escalate privileges. Also, this couples pods containers. Using host resources can be used to access shared data or escalate
to a specific host and data persisted in the `hostPath` volume is coupled to the life of the privileges. Also, this couples pods to a specific host and data persisted in
node leading to potential pod scheduling failures. It is highly recommended that applications the `hostPath` volume is coupled to the life of the node leading to potential
are designed to be decoupled from the underlying infrastructure (in this case, nodes). pod scheduling failures. It is highly recommended that applications are designed
spec: to be decoupled from the underlying infrastructure (in this case, nodes).
validationFailureAction: audit name: disallow-bind-mounts
rules: spec:
- name: validate-hostPath admission: true
match: background: true
resources: rules:
kinds: - match:
- Pod any:
validate: - resources:
message: "Host path volumes are not allowed" kinds:
pattern: - Pod
spec: name: validate-hostPath
=(volumes): validate:
message: Host path volumes are not allowed
pattern:
spec:
=(volumes):
- X(hostPath): "null" - X(hostPath): "null"
validationFailureAction: Audit

View file

@ -1,34 +1,40 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: disallow-host-network-port
annotations: annotations:
policies.kyverno.io/category: Workload Isolation policies.kyverno.io/category: Workload Isolation
policies.kyverno.io/description: Using 'hostPort' and 'hostNetwork' allows pods to share policies.kyverno.io/description: Using 'hostPort' and 'hostNetwork' allows pods
the host network stack, allowing potential snooping of network traffic from an application pod. to share the host network stack, allowing potential snooping of network traffic
from an application pod.
name: disallow-host-network-port
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: validate-host-network - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-host-network
validate: validate:
message: "Use of hostNetwork is not allowed" message: Use of hostNetwork is not allowed
pattern: pattern:
spec: spec:
=(hostNetwork): false =(hostNetwork): false
- name: validate-host-port - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-host-port
validate: validate:
message: "Use of hostPort is not allowed" message: Use of hostPort is not allowed
pattern: pattern:
spec: spec:
containers: containers:
- name: "*" - =(ports):
=(ports): - X(hostPort): "null"
- X(hostPort): "null" name: '*'
validationFailureAction: Audit

View file

@ -1,24 +1,29 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: disallow-host-pid-ipc
annotations: annotations:
policies.kyverno.io/category: Workload Isolation policies.kyverno.io/category: Workload Isolation
policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process policies.kyverno.io/description: Sharing the host's PID namespace allows visibility
on the host, potentially exposing process information. Sharing the host's IPC namespace allows of process on the host, potentially exposing process information. Sharing the
the container process to communicate with processes on the host. To avoid pod container from host's IPC namespace allows the container process to communicate with processes
having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'. on the host. To avoid pod container from having visibility to host process space,
validate that 'hostPID' and 'hostIPC' are set to 'false'.
name: disallow-host-pid-ipc
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: validate-hostPID-hostIPC - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-hostPID-hostIPC
validate: validate:
message: "Use of host PID and IPC namespaces is not allowed" message: Use of host PID and IPC namespaces is not allowed
pattern: pattern:
spec: spec:
=(hostPID): "false"
=(hostIPC): "false" =(hostIPC): "false"
=(hostPID): "false"
validationFailureAction: Audit

View file

@ -1,35 +1,40 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: disallow-latest-tag
annotations: annotations:
policies.kyverno.io/category: Workload Isolation
policies.kyverno.io/description: The ':latest' tag is mutable and can lead to
unexpected errors if the image changes. A best practice is to use an immutable
tag that maps to a specific version of an application pod.
pod-policies.kyverno.io/autogen-controllers: none pod-policies.kyverno.io/autogen-controllers: none
policies.kyverno.io/category: Workload Isolation
policies.kyverno.io/description: The ':latest' tag is mutable and can lead to
unexpected errors if the image changes. A best practice is to use an immutable
tag that maps to a specific version of an application pod.
name: disallow-latest-tag
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: require-image-tag - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: require-image-tag
validate: validate:
message: "An image tag is required" message: An image tag is required
pattern: pattern:
spec: spec:
containers: containers:
- image: "*:*" - image: '*:*'
- name: validate-image-tag - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-image-tag
validate: validate:
message: "Using a mutable image tag e.g. 'latest' is not allowed" message: Using a mutable image tag e.g. 'latest' is not allowed
pattern: pattern:
spec: spec:
containers: containers:
- image: "!*:latest" - image: '!*:latest'
validationFailureAction: Audit

View file

@ -1,39 +1,42 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: disallow-privileged
annotations: annotations:
policies.kyverno.io/category: Security policies.kyverno.io/category: Security
policies.kyverno.io/description: Privileged containers are defined as any policies.kyverno.io/description: Privileged containers are defined as any container
container where the container uid 0 is mapped to the hosts uid 0. where the container uid 0 is mapped to the hosts uid 0. A process within a
A process within a privileged container can get unrestricted host access. privileged container can get unrestricted host access. With `securityContext.allowPrivilegeEscalation`
With `securityContext.allowPrivilegeEscalation` enabled, a process can enabled, a process can gain privileges from its parent.
gain privileges from its parent. name: disallow-privileged
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: validate-privileged - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-privileged
validate: validate:
message: "Privileged mode is not allowed. Set privileged to false" message: Privileged mode is not allowed. Set privileged to false
pattern: pattern:
spec: spec:
containers: containers:
- =(securityContext): - =(securityContext):
=(privileged): false =(privileged): false
- name: validate-allowPrivilegeEscalation - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-allowPrivilegeEscalation
validate: validate:
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false" message: Privileged mode is not allowed. Set allowPrivilegeEscalation to false
pattern: pattern:
spec: spec:
containers: containers:
- securityContext: - securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
validationFailureAction: Audit

View file

@ -1,23 +1,28 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: disallow-sysctls
annotations: annotations:
policies.kyverno.io/category: Security policies.kyverno.io/category: Security
policies.kyverno.io/description: The Sysctl interface allows modifications to kernel parameters policies.kyverno.io/description: The Sysctl interface allows modifications to
at runtime. In a Kubernetes pod these parameters can be specified under `securityContext.sysctls`. kernel parameters at runtime. In a Kubernetes pod these parameters can be specified
Kernel parameter modifications can be used for exploits and should be restricted. under `securityContext.sysctls`. Kernel parameter modifications can be used
for exploits and should be restricted.
name: disallow-sysctls
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: validate-sysctls - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-sysctls
validate: validate:
message: "Changes to kernel parameters are not allowed" message: Changes to kernel parameters are not allowed
pattern: pattern:
spec: spec:
=(securityContext): =(securityContext):
X(sysctls): null X(sysctls): null
validationFailureAction: Audit

View file

@ -1,21 +1,26 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: require-certain-labels name: require-certain-labels
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: validate-certain-labels - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-certain-labels
validate: validate:
message: "The label `app.kubernetes.io/name` or `app.kubernetes.io/component` is required."
anyPattern: anyPattern:
- metadata: - metadata:
labels: labels:
app.kubernetes.io/name: "?*" app.kubernetes.io/name: ?*
- metadata: - metadata:
labels: labels:
app.kubernetes.io/component: "?*" app.kubernetes.io/component: ?*
message: The label `app.kubernetes.io/name` or `app.kubernetes.io/component`
is required.
validationFailureAction: Audit

View file

@ -1,20 +1,22 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: require-labels name: require-labels
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: check-for-labels - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: check-for-labels
validate: validate:
message: "The label `app.kubernetes.io/name` is required." message: The label `app.kubernetes.io/name` is required.
pattern: pattern:
metadata: metadata:
labels: labels:
app.kubernetes.io/name: "?*" app.kubernetes.io/name: ?*
# You can add more labels if you wish the policy to validate more than just one is present. Uncomment the below line, or add new ones. validationFailureAction: Audit
#app.kubernetes.io/component: "?*

View file

@ -1,29 +1,34 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: require-pod-requests-limits
annotations: annotations:
policies.kyverno.io/category: Workload Management policies.kyverno.io/category: Workload Management
policies.kyverno.io/description: As application workloads share cluster resources, it is important policies.kyverno.io/description: As application workloads share cluster resources,
to limit resources requested and consumed by each pod. It is recommended to require it is important to limit resources requested and consumed by each pod. It is
'resources.requests' and 'resources.limits.memory' per pod. If a namespace level request or limit is recommended to require 'resources.requests' and 'resources.limits.memory' per
specified, defaults will automatically be applied to each pod based on the 'LimitRange' configuration. pod. If a namespace level request or limit is specified, defaults will automatically
be applied to each pod based on the 'LimitRange' configuration.
name: require-pod-requests-limits
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: validate-resources - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-resources
validate: validate:
message: "CPU and memory resource requests and limits are required" message: CPU and memory resource requests and limits are required
pattern: pattern:
spec: spec:
containers: containers:
- resources: - resources:
requests:
memory: "?*"
cpu: "?*"
limits: limits:
memory: "?*" memory: ?*
requests:
cpu: ?*
memory: ?*
validationFailureAction: Audit

View file

@ -1,28 +1,34 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: select-secrets name: select-secrets
spec: spec:
admission: true
background: false background: false
validationFailureAction: enforce
rules: rules:
- name: select-secrets-from-volumes - context:
- apiCall:
jmesPath: metadata.labels.foo
method: GET
urlPath: /api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{request.object.spec.volumes[0].secret.secretName}}
name: volsecret
match: match:
resources: any:
kinds: - resources:
- Pod kinds:
context: - Pod
- name: volsecret name: select-secrets-from-volumes
apiCall:
urlPath: "/api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{request.object.spec.volumes[0].secret.secretName}}"
jmesPath: "metadata.labels.foo"
preconditions: preconditions:
- key: "{{ request.operation }}" all:
operator: Equals - key: '{{ request.operation }}'
value: "CREATE" operator: Equals
value: CREATE
validate: validate:
message: "The Secret named {{request.object.spec.volumes[0].secret.secretName}} is restricted and may not be used." message: The Secret named {{request.object.spec.volumes[0].secret.secretName}}
is restricted and may not be used.
pattern: pattern:
spec: spec:
containers: containers:
- image: "registry.domain.com/*" - image: registry.domain.com/*
validationFailureAction: Enforce

View file

@ -1,56 +1,60 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
policies.kyverno.io/category: Best Practices
policies.kyverno.io/description: >-
The ':latest' tag is mutable and can lead to unexpected errors if the
image changes. A best practice is to use an immutable tag that maps to
a specific version of an application pod.
spec:
validationFailureAction: audit
rules:
- name: validate-image-tag
match:
resources:
kinds:
- Pod
validate:
message: "Using a mutable image tag e.g. 'latest' is not allowed."
pattern:
spec:
containers:
- image: "!*:latest"
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: drop-all-capabilities annotations:
policies.kyverno.io/category: Best Practices
policies.kyverno.io/description: The ':latest' tag is mutable and can lead to
unexpected errors if the image changes. A best practice is to use an immutable
tag that maps to a specific version of an application pod.
name: disallow-latest-tag
spec:
admission: true
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'
validationFailureAction: Audit
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations: annotations:
policies.kyverno.io/scored: "false" policies.kyverno.io/scored: "false"
name: drop-all-capabilities
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: require-drop-all - match:
match: any:
any: - resources:
- resources: kinds:
kinds: - Pod
- Pod name: require-drop-all
preconditions: preconditions:
all: all:
- key: "{{ request.operation }}" - key: '{{ request.operation }}'
operator: NotEquals operator: NotEquals
value: DELETE value: DELETE
validate: validate:
message: >- foreach:
Containers must drop `ALL` capabilities. - deny:
foreach: conditions:
- list: request.object.spec.[ephemeralContainers, initContainers, containers][] all:
deny: - key: ALL
conditions: operator: AnyNotIn
all: value: '{{ element.securityContext.capabilities.drop || '''' }}'
- key: ALL list: request.object.spec.[ephemeralContainers, initContainers, containers][]
operator: AnyNotIn message: Containers must drop `ALL` capabilities.
value: "{{ element.securityContext.capabilities.drop || '' }}" validationFailureAction: Audit

View file

@ -1,21 +1,23 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: validate-default-proc-mount name: validate-default-proc-mount
spec: spec:
validationFailureAction: "audit" admission: true
background: true
rules: rules:
- name: validate-default-proc-mount - match:
match:
all: all:
- resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-default-proc-mount
validate: validate:
message: "Default proc mount should set to Unmasked" message: Default proc mount should set to Unmasked
pattern: pattern:
spec: spec:
containers: containers:
- securityContext: - securityContext:
procMount: Unmasked procMount: Unmasked
# used by rootless containers validationFailureAction: Audit

View file

@ -1,24 +1,24 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: validate-selinux-options name: validate-selinux-options
spec: spec:
validationFailureAction: "audit" admission: true
background: true
rules: rules:
- name: validate-selinux-options - match:
match: any:
any: - resources:
- resources: kinds:
kinds: - Pod
- Pod name: validate-selinux-options
validate: validate:
message: "SELinux level is required" message: SELinux level is required
pattern: pattern:
spec: spec:
containers: containers:
- securityContext: - securityContext:
seLinuxOptions: seLinuxOptions:
level: "?*" level: ?*
# level: "s0:c25,c968" validationFailureAction: Audit
# If SELinux security module is loaded on the host operating system,
# we can make sure pods only have access to specified configured level

View file

@ -1,25 +1,28 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: validate-volumes-whitelist name: validate-volumes-whitelist
spec: spec:
validationFailureAction: "audit" admission: true
background: true
rules: rules:
- name: validate-volumes-whitelist - match:
match:
any: any:
- resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-volumes-whitelist
validate: validate:
message: "Volume type is not of type hostPath, emptyDir, or configMap."
anyPattern: anyPattern:
- spec: - spec:
volumes: volumes:
- hostPath: "*" - hostPath: '*'
- spec: - spec:
volumes: volumes:
- emptyDir: "*" - emptyDir: '*'
- spec: - spec:
volumes: volumes:
- configMap: "*" - configMap: '*'
message: Volume type is not of type hostPath, emptyDir, or configMap.
validationFailureAction: Audit

View file

@ -1,29 +1,26 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: bug-demo
annotations: annotations:
pod-policies.kyverno.io/autogen-controllers: "none" pod-policies.kyverno.io/autogen-controllers: none
name: bug-demo
spec: spec:
admission: true
background: false background: false
validationFailureAction: enforce
rules: rules:
- match:
- name: mutate1
match:
all: all:
- resources: - resources:
kinds: kinds:
- v1/Pod - v1/Pod
mutate: mutate:
foreach: foreach:
- list: |- - context:
request.object.spec.containers || `[]`
context:
- name: container_path - name: container_path
variable: variable:
value: "/spec/containers/{{ elementIndex }}" value: /spec/containers/{{ elementIndex }}
list: request.object.spec.containers || `[]`
patchesJson6902: |- patchesJson6902: |-
{{ {{
[ [
@ -82,3 +79,5 @@ spec:
| |
to_string(@) to_string(@)
}} }}
name: mutate1
validationFailureAction: Enforce

View file

@ -1,50 +1,52 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: disable-connection-draining
annotations: annotations:
policies.kyverno.io/title: Configure Connection Draining
policies.kyverno.io/category: Best Practices policies.kyverno.io/category: Best Practices
policies.kyverno.io/subject: Service policies.kyverno.io/subject: Service
policies.kyverno.io/title: Configure Connection Draining
name: disable-connection-draining
spec: spec:
admission: true
background: true background: true
rules: rules:
- name: clb - context:
match:
resources:
kinds:
- Service
context:
- name: connection_draining_check - name: connection_draining_check
variable: variable:
default: "empty" default: empty
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled" jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled"
- name: nlb_check - name: nlb_check
variable: variable:
default: "false" default: "false"
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-type" jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-type"
preconditions: match:
all: any:
- key: "{{ request.object.spec.type }}" - resources:
operator: Equals kinds:
value: "LoadBalancer" - Service
- key: "{{ connection_draining_check }}"
operator: AnyIn
value: ["true", "empty"]
- key: "{{ nlb_check }}"
operator: AnyNotIn
value: ["external", "nlb"]
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
annotations: annotations:
service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: "false" service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: "false"
- name: nlb-no-attributes name: clb
match: preconditions:
resources: all:
kinds: - key: '{{ request.object.spec.type }}'
- Service operator: Equals
context: value: LoadBalancer
- key: '{{ connection_draining_check }}'
operator: AnyIn
value:
- "true"
- empty
- key: '{{ nlb_check }}'
operator: AnyNotIn
value:
- external
- nlb
- context:
- name: nlb_check - name: nlb_check
variable: variable:
default: "false" default: "false"
@ -53,19 +55,26 @@ spec:
variable: variable:
default: "false" default: "false"
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-target-group-attributes" jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-target-group-attributes"
preconditions: match:
all: any:
- key: "{{ request.object.spec.type }}" - resources:
operator: Equals kinds:
value: "LoadBalancer" - Service
- key: "{{ nlb_check }}"
operator: Equals
value: "external"
- key: "{{ tg_attributes }}"
operator: Equals
value: "false"
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
annotations: annotations:
service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "deregistration_delay.connection_termination.enabled=true,deregistration_delay.timeout_seconds=0" service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: deregistration_delay.connection_termination.enabled=true,deregistration_delay.timeout_seconds=0
name: nlb-no-attributes
preconditions:
all:
- key: '{{ request.object.spec.type }}'
operator: Equals
value: LoadBalancer
- key: '{{ nlb_check }}'
operator: Equals
value: external
- key: '{{ tg_attributes }}'
operator: Equals
value: "false"
validationFailureAction: Audit

View file

@ -1,22 +1,27 @@
apiVersion: kyverno.io/v1 ---
kind: ClusterPolicy apiVersion: kyverno.io/v1
metadata: kind: ClusterPolicy
name: mutate-emptydir metadata:
spec: name: mutate-emptydir
rules: spec:
- name: setDefault admission: true
match: background: true
resources: rules:
kinds: - match:
- Deployment any:
mutate: - resources:
foreach: kinds:
- list: "request.object.spec.template.spec.volumes" - Deployment
patchStrategicMerge: mutate:
spec: foreach:
template: - list: request.object.spec.template.spec.volumes
spec: patchStrategicMerge:
volumes: spec:
- name: "{{ element.name }}" template:
(emptyDir): spec:
+(sizeLimit): "20Mi" volumes:
- (emptyDir):
+(sizeLimit): 20Mi
name: '{{ element.name }}'
name: setDefault
validationFailureAction: Audit

View file

@ -1,26 +1,30 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: add-default-resources
annotations: annotations:
pod-policies.kyverno.io/autogen-controllers: "none" pod-policies.kyverno.io/autogen-controllers: none
name: add-default-resources
spec: spec:
admission: true
background: false background: false
rules: rules:
- name: add-default-requests - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
mutate: mutate:
foreach: foreach:
- list: "request.object.spec.containers" - list: request.object.spec.containers
patchesJson6902: |- patchesJson6902: |-
- path: /spec/containers/{{elementIndex}}/resources/requests/memory - path: /spec/containers/{{elementIndex}}/resources/requests/memory
op: add op: add
value: "100Mi" value: "100Mi"
- list: "request.object.spec.containers" - list: request.object.spec.containers
patchesJson6902: |- patchesJson6902: |-
- path: /spec/containers/{{elementIndex}}/resources/requests/cpu - path: /spec/containers/{{elementIndex}}/resources/requests/cpu
op: add op: add
value: "100m" value: "100m"
name: add-default-requests
validationFailureAction: Audit

View file

@ -1,47 +1,56 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: foreach-json-patch
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
rules:
- name: add-security-context
match:
resources:
kinds:
- Pod
preconditions:
- key: "{{ request.operation }}"
operator: Equals
value: "CREATE"
mutate:
foreach:
- list: "request.object.spec.containers"
patchesJson6902: |-
- path: /spec/containers/{{elementIndex}}/securityContext
op: add
value: {"runAsNonRoot" : true}
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: mutate-images
annotations: annotations:
pod-policies.kyverno.io/autogen-controllers: none pod-policies.kyverno.io/autogen-controllers: none
name: foreach-json-patch
spec: spec:
background: false admission: true
background: true
rules: rules:
- name: test - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
mutate: mutate:
foreach: foreach:
- list: "request.object.spec.containers" - list: request.object.spec.containers
patchesJson6902: |-
- path: /spec/containers/{{elementIndex}}/securityContext
op: add
value: {"runAsNonRoot" : true}
name: add-security-context
preconditions:
all:
- key: '{{ request.operation }}'
operator: Equals
value: CREATE
validationFailureAction: Audit
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
pod-policies.kyverno.io/autogen-controllers: none
name: mutate-images
spec:
admission: true
background: false
rules:
- match:
any:
- resources:
kinds:
- Pod
mutate:
foreach:
- list: request.object.spec.containers
patchStrategicMerge: patchStrategicMerge:
spec: spec:
containers: containers:
- name: "{{ element.name }}" - image: registry.digitalocean.com/runlevl4/{{ images.containers."{{element.name}}".name}}:{{images.containers."{{element.name}}".tag}}
image: registry.digitalocean.com/runlevl4/{{ images.containers."{{element.name}}".name}}:{{images.containers."{{element.name}}".tag}} name: '{{ element.name }}'
name: test
validationFailureAction: Audit

View file

@ -1,29 +1,32 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: add-default-resources name: add-default-resources
spec: spec:
admission: true
background: false background: false
rules: rules:
- name: add-default-requests - match:
match:
any: any:
- resources: - resources:
kinds: kinds:
- Pod - Pod
preconditions:
any:
- key: "{{request.operation}}"
operator: In
value:
- CREATE
- UPDATE
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
spec: spec:
containers: containers:
- (name): "*" - (name): '*'
resources: resources:
requests: requests:
+(memory): "100Mi" +(cpu): 100m
+(cpu): "100m" +(memory): 100Mi
name: add-default-requests
preconditions:
any:
- key: '{{request.operation}}'
operator: AllIn
value:
- CREATE
- UPDATE
validationFailureAction: Audit

View file

@ -1,100 +1,107 @@
# Below there are both type of policies: ClusterPolicy and Policy(Namespaced-Policy) ---
#ClusterPolicy
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: add-label
annotations: annotations:
policies.kyverno.io/title: Add nodeSelector
policies.kyverno.io/category: Sample policies.kyverno.io/category: Sample
policies.kyverno.io/description: Labels are used as an important source of metadata
describing objects in various ways or triggering other functionality. Labels
are also a very basic concept and should be used throughout Kubernetes. This
policy performs a simple mutation which adds a label `color=orange` to Pods,
Services, ConfigMaps, and Secrets.
policies.kyverno.io/subject: Pod policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >- policies.kyverno.io/title: Add nodeSelector
Labels are used as an important source of metadata describing objects in various ways name: add-label
or triggering other functionality. Labels are also a very basic concept and should be
used throughout Kubernetes. This policy performs a simple mutation which adds a label
`color=orange` to Pods, Services, ConfigMaps, and Secrets.
spec: spec:
admission: true
background: false background: false
rules: rules:
- name: add-label - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
labels: labels:
color: orange color: orange
- name: "impossible-rule" name: add-label
match: - match:
resources: any:
kinds: - resources:
kinds:
- Pod - Pod
preconditions:
all:
- key: "not-the-name" # This precondition should always fail!
operator: In
value: "{{ request.object.metadata.labels | keys(@) }}"
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
labels: labels:
something: "something" something: something
name: impossible-rule
preconditions:
all:
- key: not-the-name
operator: AllIn
value: '{{ request.object.metadata.labels | keys(@) }}'
validationFailureAction: Audit
--- ---
# Policy ( In testing namespace )
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: Policy kind: Policy
metadata: metadata:
annotations:
policies.kyverno.io/category: Sample
policies.kyverno.io/description: The ndots value controls where DNS lookups are
first performed in a cluster and needs to be set to a lower value than the default
of 5 in some cases. This policy mutates all Pods to add the ndots option with
a value of 1.
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Add ndots
name: add-ndots name: add-ndots
namespace: testing namespace: testing
annotations:
policies.kyverno.io/title: Add ndots
policies.kyverno.io/category: Sample
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
The ndots value controls where DNS lookups are first performed in a cluster
and needs to be set to a lower value than the default of 5 in some cases.
This policy mutates all Pods to add the ndots option with a value of 1.
spec: spec:
admission: true
background: false background: false
rules: rules:
- name: add-ndots - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
spec: spec:
dnsConfig: dnsConfig:
options: options:
- name: ndots - name: ndots
value: "1" value: "1"
name: add-ndots
validationFailureAction: Audit
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: example name: example
spec: spec:
admission: true
background: true
rules: rules:
- name: object_from_lists - context:
context: - name: annotations
- name: annotations variable:
variable: jmesPath: items(request.object.metadata.annotations, 'key', 'value')[?starts_with(key,
jmesPath: items(request.object.metadata.annotations, 'key', 'value')[?starts_with(key, 'key')] 'key')]
- name: annotations - name: annotations
variable: variable:
jmesPath: object_from_lists(annotations[].key, annotations[].value) jmesPath: object_from_lists(annotations[].key, annotations[].value)
match: match:
resources: any:
kinds: - resources:
- Pod kinds:
- Pod
mutate: mutate:
patchesJson6902: |- patchesJson6902: |-
- path: "/metadata/annotations" - path: "/metadata/annotations"
op: replace op: replace
value: {{ annotations }} value: {{ annotations }}
name: object_from_lists
validationFailureAction: Audit

View file

@ -1,19 +1,23 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: add-default-labels name: add-default-labels
spec: spec:
admission: true
background: false background: false
rules: rules:
- name: add-default-labels - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
- Service - Service
- Namespace - Namespace
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
metadata: metadata:
labels: labels:
custom-foo-label: my-bar-default custom-foo-label: my-bar-default
name: add-default-labels
validationFailureAction: Audit

View file

@ -1,34 +1,39 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: add-pod-default-seccompprofile
annotations: annotations:
policies.kyverno.io/category: Security policies.kyverno.io/category: Security
policies.kyverno.io/description: Seccomp Profiles restrict the system calls that can be made policies.kyverno.io/description: Seccomp Profiles restrict the system calls that
from a process. The Linux kernel has a few hundred system calls, but most of them are not can be made from a process. The Linux kernel has a few hundred system calls,
needed by any given process. If a process can be compromised and tricked into making other but most of them are not needed by any given process. If a process can be compromised
system calls, though, it may lead to a security vulnerability that could result in the and tricked into making other system calls, though, it may lead to a security
compromise of the whole system. By restricting what system calls can be made, seccomp is vulnerability that could result in the compromise of the whole system. By restricting
a key component for building application sandboxes. what system calls can be made, seccomp is a key component for building application
sandboxes.
name: add-pod-default-seccompprofile
spec: spec:
admission: true
background: false background: false
validationFailureAction: audit
rules: rules:
- name: add-pod-default-seccompprofile - exclude:
any:
- resources:
namespaces:
- kube-system
- kube-public
- default
- kyverno
match: match:
resources: any:
kinds: - resources:
- Pod kinds:
exclude: - Pod
resources:
namespaces:
- "kube-system"
- "kube-public"
- "default"
- "kyverno"
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
spec: spec:
securityContext: securityContext:
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
name: add-pod-default-seccompprofile
validationFailureAction: Audit

View file

@ -1,35 +1,38 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: insert-podantiaffinity name: insert-podantiaffinity
spec: spec:
admission: true
background: true
rules: rules:
- name: insert-podantiaffinity - match:
match: any:
resources: - resources:
kinds: kinds:
- Deployment - Deployment
preconditions: mutate:
# This precondition ensures that the label `app` is applied to Pods within the Deployment resource. patchStrategicMerge:
- key: "{{request.object.metadata.labels.app}}" spec:
template:
spec:
+(affinity):
+(podAntiAffinity):
+(preferredDuringSchedulingIgnoredDuringExecution):
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- '{{request.object.metadata.labels.app}}'
topologyKey: kubernetes.io/hostname
weight: 1
name: insert-podantiaffinity
preconditions:
all:
- key: '{{request.object.metadata.labels.app}}'
operator: NotEquals operator: NotEquals
value: "" value: ""
# Mutates the Deployment resource to add fields. validationFailureAction: Audit
mutate:
patchStrategicMerge:
spec:
template:
spec:
# Add the `affinity` key and others if not already specified in the Deployment manifest.
+(affinity):
+(podAntiAffinity):
+(preferredDuringSchedulingIgnoredDuringExecution):
- weight: 1
podAffinityTerm:
topologyKey: "kubernetes.io/hostname"
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- "{{request.object.metadata.labels.app}}"

View file

@ -1,22 +1,25 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: secrets-not-from-env-vars name: secrets-not-from-env-vars
spec: spec:
admission: true
background: false background: false
validationFailureAction: audit
rules: rules:
- name: secrets-not-from-env-vars - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: secrets-not-from-env-vars
validate: validate:
message: "Secrets must be mounted as volumes, not as environment variables." message: Secrets must be mounted as volumes, not as environment variables.
pattern: pattern:
spec: spec:
containers: containers:
- name: "*" - =(env):
=(env):
- =(valueFrom): - =(valueFrom):
X(secretKeyRef): "null" X(secretKeyRef): "null"
name: '*'
validationFailureAction: Audit

View file

@ -1,66 +1,64 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: validate-probes
annotations: annotations:
# Only applies to pods originating from DaemonSet, Deployment, or StatefulSet.
pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
name: validate-probes
spec: spec:
validationFailureAction: enforce admission: true
background: false background: false
rules: rules:
# Checks the first container in a Pod. - match:
- name: validate-probes-c0 any:
match: - resources:
resources:
kinds: kinds:
- Pod - Pod
validate: name: validate-probes-c0
message: "Liveness and readiness probes cannot be the same." validate:
# A `deny` rule is different in structure than a `validate` rule and inverts the check. It uses `conditions` written in JMESPath notation upon which to base its decisions. deny:
deny: conditions:
conditions: - key: '{{ request.object.spec.containers[0].readinessProbe }}'
# In this condition, it checks the entire map structure of the `readinessProbe` against that of the `livenessProbe`. If both are found to be equal, the Pod creation operator: Equals
# request will be denied. value: '{{ request.object.spec.containers[0].livenessProbe }}'
- key: "{{ request.object.spec.containers[0].readinessProbe }}" message: Liveness and readiness probes cannot be the same.
operator: Equals - match:
value: "{{ request.object.spec.containers[0].livenessProbe }}" any:
# Checks the second container in a Pod. - resources:
- name: validate-probes-c1
match:
resources:
kinds: kinds:
- Pod - Pod
validate: name: validate-probes-c1
message: "Liveness and readiness probes cannot be the same." validate:
deny: deny:
conditions: conditions:
- key: "{{ request.object.spec.containers[1].readinessProbe }}" - key: '{{ request.object.spec.containers[1].readinessProbe }}'
operator: Equals operator: Equals
value: "{{ request.object.spec.containers[1].livenessProbe }}" value: '{{ request.object.spec.containers[1].livenessProbe }}'
# Checks the third container in a Pod. message: Liveness and readiness probes cannot be the same.
- name: validate-probes-c2 - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
validate: name: validate-probes-c2
message: "Liveness and readiness probes cannot be the same." validate:
deny: deny:
conditions: conditions:
- key: "{{ request.object.spec.containers[2].readinessProbe }}" - key: '{{ request.object.spec.containers[2].readinessProbe }}'
operator: Equals operator: Equals
value: "{{ request.object.spec.containers[2].livenessProbe }}" value: '{{ request.object.spec.containers[2].livenessProbe }}'
# Checks the fourth container in a Pod. message: Liveness and readiness probes cannot be the same.
- name: validate-probes-c3 - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
validate: name: validate-probes-c3
message: "Liveness and readiness probes cannot be the same." validate:
deny: deny:
conditions: conditions:
- key: "{{ request.object.spec.containers[3].readinessProbe }}" - key: '{{ request.object.spec.containers[3].readinessProbe }}'
operator: Equals operator: Equals
value: "{{ request.object.spec.containers[3].livenessProbe }}" value: '{{ request.object.spec.containers[3].livenessProbe }}'
message: Liveness and readiness probes cannot be the same.
validationFailureAction: Enforce

View file

@ -1,24 +1,29 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: deployment-has-multiple-replicas name: deployment-has-multiple-replicas
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: deployment-has-multiple-replicas - exclude:
match: any:
resources: - resources:
kinds:
- Deployment
exclude:
resources:
namespaces: namespaces:
- kyverno - kyverno
- kube-system - kube-system
- kube-node-lease - kube-node-lease
- kube-public - kube-public
validate: match:
message: "Deployments must have more than one replica to ensure availability." any:
pattern: - resources:
spec: kinds:
replicas: ">1" - Deployment
name: deployment-has-multiple-replicas
validate:
message: Deployments must have more than one replica to ensure availability.
pattern:
spec:
replicas: '>1'
validationFailureAction: Audit

View file

@ -1,33 +1,40 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: drop-all-capabilities name: drop-all-capabilities
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: drop-all-containers - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: drop-all-containers
validate: validate:
message: "Drop all must be defined for every container in the Pod." message: Drop all must be defined for every container in the Pod.
pattern: pattern:
spec: spec:
containers: containers:
- securityContext: - securityContext:
capabilities: capabilities:
drop: ["ALL"] drop:
- name: drop-all-initcontainers - ALL
match: - match:
resources: any:
kinds: - resources:
- Pod kinds:
- Pod
name: drop-all-initcontainers
validate: validate:
message: "Drop all must be defined for every container in the Pod." message: Drop all must be defined for every container in the Pod.
pattern: pattern:
spec: spec:
initContainers: initContainers:
- securityContext: - securityContext:
capabilities: capabilities:
drop: ["ALL"] drop:
- ALL
validationFailureAction: Audit

View file

@ -1,22 +1,27 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: restrict-automount-sa-token
annotations: annotations:
policies.kyverno.io/category: Security policies.kyverno.io/category: Security
policies.kyverno.io/description: Kubernetes automatically mounts service account policies.kyverno.io/description: Kubernetes automatically mounts service account
credentials in each pod. The service account may be assigned roles allowing pods credentials in each pod. The service account may be assigned roles allowing
to access API resources. To restrict access, opt out of auto-mounting tokens by pods to access API resources. To restrict access, opt out of auto-mounting tokens
setting automountServiceAccountToken to false. by setting automountServiceAccountToken to false.
name: restrict-automount-sa-token
spec: spec:
admission: true
background: true
rules: rules:
- name: validate-automountServiceAccountToken - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-automountServiceAccountToken
validate: validate:
message: "Auto-mounting of Service Account tokens is not allowed" message: Auto-mounting of Service Account tokens is not allowed
pattern: pattern:
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
validationFailureAction: Audit

View file

@ -1,22 +1,27 @@
apiVersion : kyverno.io/v1 ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: restrict-ingress-classes
annotations: annotations:
policies.kyverno.io/category: Workload Management policies.kyverno.io/category: Workload Management
policies.kyverno.io/description: It can be useful to restrict Ingress resources to a set of policies.kyverno.io/description: It can be useful to restrict Ingress resources
known ingress classes that are allowed in the cluster. You can customize this policy to to a set of known ingress classes that are allowed in the cluster. You can customize
allow ingress classes that are configured in the cluster. this policy to allow ingress classes that are configured in the cluster.
name: restrict-ingress-classes
spec: spec:
admission: true
background: true
rules: rules:
- name: validate-ingress - match:
match: any:
resources: - resources:
kinds: kinds:
- Ingress - Ingress
name: validate-ingress
validate: validate:
message: "Unknown ingress class" message: Unknown ingress class
pattern: pattern:
metadata: metadata:
annotations: annotations:
kubernetes.io/ingress.class: "F5 | nginx" kubernetes.io/ingress.class: F5 | nginx
validationFailureAction: Audit

View file

@ -1,17 +1,21 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: no-loadbalancers name: no-loadbalancers
spec: spec:
validationFailureAction: audit admission: true
background: true
rules: rules:
- name: no-LoadBalancer - match:
match: any:
resources: - resources:
kinds: kinds:
- Service - Service
name: no-LoadBalancer
validate: validate:
message: "Service of type LoadBalancer is not allowed." message: Service of type LoadBalancer is not allowed.
pattern: pattern:
spec: spec:
type: "!LoadBalancer" type: '!LoadBalancer'
validationFailureAction: Audit

View file

@ -1,45 +1,53 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: validate-userid-groupid-fsgroup
annotations: annotations:
policies.kyverno.io/category: Security Context policies.kyverno.io/category: Security Context
policies.kyverno.io/description: All processes inside the pod can be made to run with specific user policies.kyverno.io/description: All processes inside the pod can be made to run
and groupID by setting 'runAsUser' and 'runAsGroup' respectively. 'fsGroup' can be specified with specific user and groupID by setting 'runAsUser' and 'runAsGroup' respectively.
to make sure any file created in the volume with have the specified groupID. These options can be 'fsGroup' can be specified to make sure any file created in the volume with
used to validate the IDs used for user and group. have the specified groupID. These options can be used to validate the IDs used
for user and group.
name: validate-userid-groupid-fsgroup
spec: spec:
admission: true
background: true
rules: rules:
- name: validate-userid - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-userid
validate: validate:
message: "User ID should be 1000" message: User ID should be 1000
pattern: pattern:
spec: spec:
securityContext: securityContext:
runAsUser: '1000' runAsUser: "1000"
- name: validate-groupid - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-groupid
validate: validate:
message: "Group ID should be 3000" message: Group ID should be 3000
pattern: pattern:
spec: spec:
securityContext: securityContext:
runAsGroup: '3000' runAsGroup: "3000"
- name: validate-fsgroup - match:
match: any:
resources: - resources:
kinds: kinds:
- Pod - Pod
name: validate-fsgroup
validate: validate:
message: "fsgroup should be 2000" message: fsgroup should be 2000
pattern: pattern:
spec: spec:
securityContext: securityContext:
fsGroup: '2000' fsGroup: "2000"
validationFailureAction: Audit

View file

@ -1,29 +1,31 @@
---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: spread-pods name: spread-pods
spec: spec:
admission: true
background: true
rules: rules:
- name: spread-pods-across-nodes - match:
# Matches any Deployment with the label `distributed=required` any:
match: - resources:
resources:
kinds: kinds:
- Deployment - Deployment
selector: selector:
matchLabels: matchLabels:
distributed: required distributed: required
# Mutates the incoming Deployment. mutate:
mutate: patchStrategicMerge:
patchStrategicMerge: spec:
spec: template:
template: spec:
spec: +(topologySpreadConstraints):
# Adds the topologySpreadConstraints field if non-existent in the request. - labelSelector:
+(topologySpreadConstraints): matchLabels:
- maxSkew: 1 distributed: required
topologyKey: zone maxSkew: 1
whenUnsatisfiable: DoNotSchedule topologyKey: zone
labelSelector: whenUnsatisfiable: DoNotSchedule
matchLabels: name: spread-pods-across-nodes
distributed: required validationFailureAction: Audit