mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 20:20:22 +00:00
chore: apply policy fixes (#8427)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
3a61f2c6b7
commit
7562bea6db
40 changed files with 996 additions and 814 deletions
|
@ -1,25 +1,35 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: check-image
|
|
||||||
annotations:
|
annotations:
|
||||||
pod-policies.kyverno.io/autogen-controllers: none
|
pod-policies.kyverno.io/autogen-controllers: none
|
||||||
|
name: check-image
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: verify-signature
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
verifyImages:
|
name: verify-signature
|
||||||
- imageReferences:
|
verifyImages:
|
||||||
- "*"
|
- attestors:
|
||||||
attestors:
|
- count: 1
|
||||||
- count: 1
|
entries:
|
||||||
entries:
|
- keys:
|
||||||
- keys:
|
publicKeys: |-
|
||||||
publicKeys: |-
|
-----BEGIN PUBLIC KEY-----
|
||||||
-----BEGIN PUBLIC KEY-----
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFN8gGjQua2g8N+aLx3Eff+/j5HxL
|
||||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFN8gGjQua2g8N+aLx3Eff+/j5HxL
|
bV+H2z50/0A4d8XyMUvizPQBtcgei43pqLj1850m3wSwI08z2+6zT1QaEg==
|
||||||
bV+H2z50/0A4d8XyMUvizPQBtcgei43pqLj1850m3wSwI08z2+6zT1QaEg==
|
-----END PUBLIC KEY-----
|
||||||
-----END PUBLIC KEY-----
|
signatureAlgorithm: sha256
|
||||||
|
imageReferences:
|
||||||
|
- '*'
|
||||||
|
mutateDigest: true
|
||||||
|
required: true
|
||||||
|
useCache: true
|
||||||
|
verifyDigest: true
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,21 +1,22 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: limit-configmap-for-sa
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/title: Limit ConfigMap to ServiceAccounts for a User
|
kyverno.io/kubernetes-version: 1.20-1.23
|
||||||
policies.kyverno.io/category: Other
|
|
||||||
policies.kyverno.io/severity: medium
|
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: 1.6.0
|
||||||
kyverno.io/kubernetes-version: "1.20-1.23"
|
policies.kyverno.io/category: Other
|
||||||
|
policies.kyverno.io/description: This policy shows how to restrict certain operations
|
||||||
|
on specific ConfigMaps by ServiceAccounts.
|
||||||
|
policies.kyverno.io/severity: medium
|
||||||
policies.kyverno.io/subject: ConfigMap, ServiceAccount
|
policies.kyverno.io/subject: ConfigMap, ServiceAccount
|
||||||
policies.kyverno.io/description: This policy shows how to restrict certain operations on specific ConfigMaps by ServiceAccounts.
|
policies.kyverno.io/title: Limit ConfigMap to ServiceAccounts for a User
|
||||||
|
name: limit-configmap-for-sa
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
validationFailureAction: audit
|
|
||||||
rules:
|
rules:
|
||||||
- name: limit-configmap-for-sa-developer
|
- match:
|
||||||
match:
|
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
|
@ -31,25 +32,28 @@ spec:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: another-developer
|
name: another-developer
|
||||||
namespace: another-namespace
|
namespace: another-namespace
|
||||||
|
name: limit-configmap-for-sa-developer
|
||||||
preconditions:
|
preconditions:
|
||||||
all:
|
all:
|
||||||
- key: "{{request.object.metadata.namespace}}"
|
- key: '{{request.object.metadata.namespace}}'
|
||||||
operator: In
|
operator: AllIn
|
||||||
value:
|
value:
|
||||||
- "any-namespace"
|
- any-namespace
|
||||||
- "another-namespace"
|
- another-namespace
|
||||||
- key: "{{request.object.metadata.name}}"
|
- key: '{{request.object.metadata.name}}'
|
||||||
operator: In
|
operator: AllIn
|
||||||
value:
|
value:
|
||||||
- "any-configmap-name-good"
|
- any-configmap-name-good
|
||||||
- "another-configmap-name"
|
- another-configmap-name
|
||||||
validate:
|
validate:
|
||||||
message: "{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} resource is protected. Admin or allowed users can change the resource"
|
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
all:
|
all:
|
||||||
- key: "{{request.operation}}"
|
- key: '{{request.operation}}'
|
||||||
operator: "In"
|
operator: In
|
||||||
value:
|
value:
|
||||||
- "UPDATE"
|
- UPDATE
|
||||||
- "CREATE"
|
- CREATE
|
||||||
|
message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}}
|
||||||
|
resource is protected. Admin or allowed users can change the resource'
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,40 +1,44 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: pod-requirements
|
|
||||||
annotations:
|
annotations:
|
||||||
pod-policies.kyverno.io/autogen-controllers: none
|
pod-policies.kyverno.io/autogen-controllers: none
|
||||||
policies.kyverno.io/severity: medium
|
|
||||||
policies.kyverno.io/category: Pod Security Standards (Restricted)
|
policies.kyverno.io/category: Pod Security Standards (Restricted)
|
||||||
|
policies.kyverno.io/severity: medium
|
||||||
|
name: pod-requirements
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
validationFailureAction: audit
|
|
||||||
rules:
|
rules:
|
||||||
- name: pods-require-account
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: pods-require-account
|
||||||
validate:
|
validate:
|
||||||
message: User pods must include an account for charging
|
message: User pods must include an account for charging
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
account: "*?"
|
account: '*?'
|
||||||
- name: pods-require-limits
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: pods-require-limits
|
||||||
validate:
|
validate:
|
||||||
message: CPU and memory resource requests and limits are required for user pods
|
message: CPU and memory resource requests and limits are required for user pods
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- resources:
|
- resources:
|
||||||
requests:
|
|
||||||
memory: "?*"
|
|
||||||
cpu: "?*"
|
|
||||||
limits:
|
limits:
|
||||||
memory: "?*"
|
cpu: ?*
|
||||||
cpu: "?*"
|
memory: ?*
|
||||||
|
requests:
|
||||||
|
cpu: ?*
|
||||||
|
memory: ?*
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,41 +1,45 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: Policy
|
kind: Policy
|
||||||
metadata:
|
metadata:
|
||||||
name: pod-requirements
|
|
||||||
namespace: test
|
|
||||||
annotations:
|
annotations:
|
||||||
pod-policies.kyverno.io/autogen-controllers: none
|
pod-policies.kyverno.io/autogen-controllers: none
|
||||||
policies.kyverno.io/severity: medium
|
|
||||||
policies.kyverno.io/category: Pod Security Standards (Restricted)
|
policies.kyverno.io/category: Pod Security Standards (Restricted)
|
||||||
|
policies.kyverno.io/severity: medium
|
||||||
|
name: pod-requirements
|
||||||
|
namespace: test
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
validationFailureAction: audit
|
|
||||||
rules:
|
rules:
|
||||||
- name: pods-require-account
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: pods-require-account
|
||||||
validate:
|
validate:
|
||||||
message: User pods must include an account for charging
|
message: User pods must include an account for charging
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
account: "*?"
|
account: '*?'
|
||||||
- name: pods-require-limits
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: pods-require-limits
|
||||||
validate:
|
validate:
|
||||||
message: CPU and memory resource requests and limits are required for user pods
|
message: CPU and memory resource requests and limits are required for user pods
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- resources:
|
- resources:
|
||||||
requests:
|
|
||||||
memory: "?*"
|
|
||||||
cpu: "?*"
|
|
||||||
limits:
|
limits:
|
||||||
memory: "?*"
|
cpu: ?*
|
||||||
cpu: "?*"
|
memory: ?*
|
||||||
|
requests:
|
||||||
|
cpu: ?*
|
||||||
|
memory: ?*
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,39 +1,44 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: add-networkpolicy
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Workload Management
|
policies.kyverno.io/category: Workload Management
|
||||||
policies.kyverno.io/description: By default, Kubernetes allows communications across
|
policies.kyverno.io/description: By default, Kubernetes allows communications
|
||||||
all pods within a cluster. Network policies and, a CNI that supports network policies,
|
across all pods within a cluster. Network policies and, a CNI that supports
|
||||||
must be used to restrict communinications. A default NetworkPolicy should be configured
|
network policies, must be used to restrict communinications. A default NetworkPolicy
|
||||||
for each namespace to default deny all ingress traffic to the pods in the namespace.
|
should be configured for each namespace to default deny all ingress traffic
|
||||||
Application teams can then configure additional NetworkPolicy resources to allow
|
to the pods in the namespace. Application teams can then configure additional
|
||||||
desired traffic to application pods from select sources.
|
NetworkPolicy resources to allow desired traffic to application pods from select
|
||||||
|
sources.
|
||||||
|
name: add-networkpolicy
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: default-deny-ingress
|
- exclude:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
namespaces:
|
||||||
- Namespace
|
- kube-system
|
||||||
name: "*"
|
- default
|
||||||
exclude:
|
- kube-public
|
||||||
resources:
|
- kyverno
|
||||||
namespaces:
|
generate:
|
||||||
- "kube-system"
|
|
||||||
- "default"
|
|
||||||
- "kube-public"
|
|
||||||
- "kyverno"
|
|
||||||
generate:
|
|
||||||
kind: NetworkPolicy
|
|
||||||
name: default-deny-ingress
|
|
||||||
namespace: "{{request.object.metadata.name}}"
|
|
||||||
synchronize : true
|
|
||||||
data:
|
data:
|
||||||
spec:
|
spec:
|
||||||
# select all pods in the namespace
|
|
||||||
podSelector: {}
|
podSelector: {}
|
||||||
policyTypes:
|
policyTypes:
|
||||||
- Ingress
|
- Ingress
|
||||||
|
kind: NetworkPolicy
|
||||||
|
name: default-deny-ingress
|
||||||
|
namespace: '{{request.object.metadata.name}}'
|
||||||
|
synchronize: true
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Namespace
|
||||||
|
name: '*'
|
||||||
|
name: default-deny-ingress
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,50 +1,46 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: add-ns-quota
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Workload Isolation
|
policies.kyverno.io/category: Workload Isolation
|
||||||
policies.kyverno.io/description: To limit the number of objects, as well as the
|
policies.kyverno.io/description: To limit the number of objects, as well as the
|
||||||
total amount of compute that may be consumed by a single namespace, create
|
total amount of compute that may be consumed by a single namespace, create a
|
||||||
a default resource quota for each namespace.
|
default resource quota for each namespace.
|
||||||
|
name: add-ns-quota
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: generate-resourcequota
|
- exclude:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
namespaces:
|
||||||
- Namespace
|
- kube-system
|
||||||
exclude:
|
- default
|
||||||
resources:
|
- kube-public
|
||||||
namespaces:
|
- kyverno
|
||||||
- "kube-system"
|
|
||||||
- "default"
|
|
||||||
- "kube-public"
|
|
||||||
- "kyverno"
|
|
||||||
generate:
|
generate:
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ResourceQuota
|
|
||||||
name: default-resourcequota
|
|
||||||
synchronize : true
|
|
||||||
namespace: "{{request.object.metadata.name}}"
|
|
||||||
data:
|
data:
|
||||||
spec:
|
spec:
|
||||||
hard:
|
hard:
|
||||||
requests.cpu: '4'
|
limits.cpu: "4"
|
||||||
requests.memory: '16Gi'
|
limits.memory: 16Gi
|
||||||
limits.cpu: '4'
|
requests.cpu: "4"
|
||||||
limits.memory: '16Gi'
|
requests.memory: 16Gi
|
||||||
- name: generate-limitrange
|
kind: ResourceQuota
|
||||||
|
name: default-resourcequota
|
||||||
|
namespace: '{{request.object.metadata.name}}'
|
||||||
|
synchronize: true
|
||||||
match:
|
match:
|
||||||
resources:
|
any:
|
||||||
kinds:
|
- resources:
|
||||||
- Namespace
|
kinds:
|
||||||
generate:
|
- Namespace
|
||||||
|
name: generate-resourcequota
|
||||||
|
- generate:
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: LimitRange
|
|
||||||
name: default-limitrange
|
|
||||||
synchronize : true
|
|
||||||
namespace: "{{request.object.metadata.name}}"
|
|
||||||
data:
|
data:
|
||||||
spec:
|
spec:
|
||||||
limits:
|
limits:
|
||||||
|
@ -55,3 +51,14 @@ spec:
|
||||||
cpu: 200m
|
cpu: 200m
|
||||||
memory: 256Mi
|
memory: 256Mi
|
||||||
type: Container
|
type: Container
|
||||||
|
kind: LimitRange
|
||||||
|
name: default-limitrange
|
||||||
|
namespace: '{{request.object.metadata.name}}'
|
||||||
|
synchronize: true
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Namespace
|
||||||
|
name: generate-limitrange
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,38 +1,45 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: add-safe-to-evict
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Workload Management
|
policies.kyverno.io/category: Workload Management
|
||||||
policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict pods that
|
policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict
|
||||||
use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation
|
pods that use hostPath or emptyDir volumes. To allow eviction of these pods,
|
||||||
cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
|
the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added
|
||||||
spec:
|
to the pods.
|
||||||
rules:
|
name: add-safe-to-evict
|
||||||
- name: annotate-empty-dir
|
spec:
|
||||||
match:
|
admission: true
|
||||||
resources:
|
background: true
|
||||||
kinds:
|
rules:
|
||||||
- Pod
|
- match:
|
||||||
mutate:
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Pod
|
||||||
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
|
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
|
||||||
spec:
|
spec:
|
||||||
volumes:
|
volumes:
|
||||||
- <(emptyDir): {}
|
- <(emptyDir): {}
|
||||||
- name: annotate-host-path
|
name: annotate-empty-dir
|
||||||
match:
|
- match:
|
||||||
resources:
|
any:
|
||||||
kinds:
|
- resources:
|
||||||
- Pod
|
kinds:
|
||||||
mutate:
|
- Pod
|
||||||
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
|
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
|
||||||
spec:
|
spec:
|
||||||
volumes:
|
volumes:
|
||||||
- hostPath:
|
- hostPath:
|
||||||
<(path): "*"
|
<(path): '*'
|
||||||
|
name: annotate-host-path
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,26 +1,31 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: disallow-bind-mounts
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Workload Isolation
|
policies.kyverno.io/category: Workload Isolation
|
||||||
policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind
|
policies.kyverno.io/description: The volume of type `hostPath` allows pods to
|
||||||
mounts (i.e. directories and volumes mounted to a host path) in containers. Using host
|
use host bind mounts (i.e. directories and volumes mounted to a host path) in
|
||||||
resources can be used to access shared data or escalate privileges. Also, this couples pods
|
containers. Using host resources can be used to access shared data or escalate
|
||||||
to a specific host and data persisted in the `hostPath` volume is coupled to the life of the
|
privileges. Also, this couples pods to a specific host and data persisted in
|
||||||
node leading to potential pod scheduling failures. It is highly recommended that applications
|
the `hostPath` volume is coupled to the life of the node leading to potential
|
||||||
are designed to be decoupled from the underlying infrastructure (in this case, nodes).
|
pod scheduling failures. It is highly recommended that applications are designed
|
||||||
spec:
|
to be decoupled from the underlying infrastructure (in this case, nodes).
|
||||||
validationFailureAction: audit
|
name: disallow-bind-mounts
|
||||||
rules:
|
spec:
|
||||||
- name: validate-hostPath
|
admission: true
|
||||||
match:
|
background: true
|
||||||
resources:
|
rules:
|
||||||
kinds:
|
- match:
|
||||||
- Pod
|
any:
|
||||||
validate:
|
- resources:
|
||||||
message: "Host path volumes are not allowed"
|
kinds:
|
||||||
pattern:
|
- Pod
|
||||||
spec:
|
name: validate-hostPath
|
||||||
=(volumes):
|
validate:
|
||||||
|
message: Host path volumes are not allowed
|
||||||
|
pattern:
|
||||||
|
spec:
|
||||||
|
=(volumes):
|
||||||
- X(hostPath): "null"
|
- X(hostPath): "null"
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,34 +1,40 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: disallow-host-network-port
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Workload Isolation
|
policies.kyverno.io/category: Workload Isolation
|
||||||
policies.kyverno.io/description: Using 'hostPort' and 'hostNetwork' allows pods to share
|
policies.kyverno.io/description: Using 'hostPort' and 'hostNetwork' allows pods
|
||||||
the host network stack, allowing potential snooping of network traffic from an application pod.
|
to share the host network stack, allowing potential snooping of network traffic
|
||||||
|
from an application pod.
|
||||||
|
name: disallow-host-network-port
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-host-network
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-host-network
|
||||||
validate:
|
validate:
|
||||||
message: "Use of hostNetwork is not allowed"
|
message: Use of hostNetwork is not allowed
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
=(hostNetwork): false
|
=(hostNetwork): false
|
||||||
- name: validate-host-port
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-host-port
|
||||||
validate:
|
validate:
|
||||||
message: "Use of hostPort is not allowed"
|
message: Use of hostPort is not allowed
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: "*"
|
- =(ports):
|
||||||
=(ports):
|
- X(hostPort): "null"
|
||||||
- X(hostPort): "null"
|
name: '*'
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,24 +1,29 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: disallow-host-pid-ipc
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Workload Isolation
|
policies.kyverno.io/category: Workload Isolation
|
||||||
policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process
|
policies.kyverno.io/description: Sharing the host's PID namespace allows visibility
|
||||||
on the host, potentially exposing process information. Sharing the host's IPC namespace allows
|
of process on the host, potentially exposing process information. Sharing the
|
||||||
the container process to communicate with processes on the host. To avoid pod container from
|
host's IPC namespace allows the container process to communicate with processes
|
||||||
having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
|
on the host. To avoid pod container from having visibility to host process space,
|
||||||
|
validate that 'hostPID' and 'hostIPC' are set to 'false'.
|
||||||
|
name: disallow-host-pid-ipc
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-hostPID-hostIPC
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-hostPID-hostIPC
|
||||||
validate:
|
validate:
|
||||||
message: "Use of host PID and IPC namespaces is not allowed"
|
message: Use of host PID and IPC namespaces is not allowed
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
=(hostPID): "false"
|
|
||||||
=(hostIPC): "false"
|
=(hostIPC): "false"
|
||||||
|
=(hostPID): "false"
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,35 +1,40 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: disallow-latest-tag
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Workload Isolation
|
|
||||||
policies.kyverno.io/description: The ':latest' tag is mutable and can lead to
|
|
||||||
unexpected errors if the image changes. A best practice is to use an immutable
|
|
||||||
tag that maps to a specific version of an application pod.
|
|
||||||
pod-policies.kyverno.io/autogen-controllers: none
|
pod-policies.kyverno.io/autogen-controllers: none
|
||||||
|
policies.kyverno.io/category: Workload Isolation
|
||||||
|
policies.kyverno.io/description: The ':latest' tag is mutable and can lead to
|
||||||
|
unexpected errors if the image changes. A best practice is to use an immutable
|
||||||
|
tag that maps to a specific version of an application pod.
|
||||||
|
name: disallow-latest-tag
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: require-image-tag
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: require-image-tag
|
||||||
validate:
|
validate:
|
||||||
message: "An image tag is required"
|
message: An image tag is required
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- image: "*:*"
|
- image: '*:*'
|
||||||
- name: validate-image-tag
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-image-tag
|
||||||
validate:
|
validate:
|
||||||
message: "Using a mutable image tag e.g. 'latest' is not allowed"
|
message: Using a mutable image tag e.g. 'latest' is not allowed
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- image: "!*:latest"
|
- image: '!*:latest'
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,39 +1,42 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: disallow-privileged
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Security
|
policies.kyverno.io/category: Security
|
||||||
policies.kyverno.io/description: Privileged containers are defined as any
|
policies.kyverno.io/description: Privileged containers are defined as any container
|
||||||
container where the container uid 0 is mapped to the host’s uid 0.
|
where the container uid 0 is mapped to the host’s uid 0. A process within a
|
||||||
A process within a privileged container can get unrestricted host access.
|
privileged container can get unrestricted host access. With `securityContext.allowPrivilegeEscalation`
|
||||||
With `securityContext.allowPrivilegeEscalation` enabled, a process can
|
enabled, a process can gain privileges from its parent.
|
||||||
gain privileges from its parent.
|
name: disallow-privileged
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-privileged
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-privileged
|
||||||
validate:
|
validate:
|
||||||
message: "Privileged mode is not allowed. Set privileged to false"
|
message: Privileged mode is not allowed. Set privileged to false
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- =(securityContext):
|
- =(securityContext):
|
||||||
=(privileged): false
|
=(privileged): false
|
||||||
- name: validate-allowPrivilegeEscalation
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-allowPrivilegeEscalation
|
||||||
validate:
|
validate:
|
||||||
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false"
|
message: Privileged mode is not allowed. Set allowPrivilegeEscalation to false
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- securityContext:
|
- securityContext:
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,23 +1,28 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: disallow-sysctls
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Security
|
policies.kyverno.io/category: Security
|
||||||
policies.kyverno.io/description: The Sysctl interface allows modifications to kernel parameters
|
policies.kyverno.io/description: The Sysctl interface allows modifications to
|
||||||
at runtime. In a Kubernetes pod these parameters can be specified under `securityContext.sysctls`.
|
kernel parameters at runtime. In a Kubernetes pod these parameters can be specified
|
||||||
Kernel parameter modifications can be used for exploits and should be restricted.
|
under `securityContext.sysctls`. Kernel parameter modifications can be used
|
||||||
|
for exploits and should be restricted.
|
||||||
|
name: disallow-sysctls
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-sysctls
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-sysctls
|
||||||
validate:
|
validate:
|
||||||
message: "Changes to kernel parameters are not allowed"
|
message: Changes to kernel parameters are not allowed
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
=(securityContext):
|
=(securityContext):
|
||||||
X(sysctls): null
|
X(sysctls): null
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,21 +1,26 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: require-certain-labels
|
name: require-certain-labels
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-certain-labels
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-certain-labels
|
||||||
validate:
|
validate:
|
||||||
message: "The label `app.kubernetes.io/name` or `app.kubernetes.io/component` is required."
|
|
||||||
anyPattern:
|
anyPattern:
|
||||||
- metadata:
|
- metadata:
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/name: "?*"
|
app.kubernetes.io/name: ?*
|
||||||
- metadata:
|
- metadata:
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/component: "?*"
|
app.kubernetes.io/component: ?*
|
||||||
|
message: The label `app.kubernetes.io/name` or `app.kubernetes.io/component`
|
||||||
|
is required.
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,20 +1,22 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: require-labels
|
name: require-labels
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: check-for-labels
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: check-for-labels
|
||||||
validate:
|
validate:
|
||||||
message: "The label `app.kubernetes.io/name` is required."
|
message: The label `app.kubernetes.io/name` is required.
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/name: "?*"
|
app.kubernetes.io/name: ?*
|
||||||
# You can add more labels if you wish the policy to validate more than just one is present. Uncomment the below line, or add new ones.
|
validationFailureAction: Audit
|
||||||
#app.kubernetes.io/component: "?*
|
|
||||||
|
|
|
@ -1,29 +1,34 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: require-pod-requests-limits
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Workload Management
|
policies.kyverno.io/category: Workload Management
|
||||||
policies.kyverno.io/description: As application workloads share cluster resources, it is important
|
policies.kyverno.io/description: As application workloads share cluster resources,
|
||||||
to limit resources requested and consumed by each pod. It is recommended to require
|
it is important to limit resources requested and consumed by each pod. It is
|
||||||
'resources.requests' and 'resources.limits.memory' per pod. If a namespace level request or limit is
|
recommended to require 'resources.requests' and 'resources.limits.memory' per
|
||||||
specified, defaults will automatically be applied to each pod based on the 'LimitRange' configuration.
|
pod. If a namespace level request or limit is specified, defaults will automatically
|
||||||
|
be applied to each pod based on the 'LimitRange' configuration.
|
||||||
|
name: require-pod-requests-limits
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-resources
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-resources
|
||||||
validate:
|
validate:
|
||||||
message: "CPU and memory resource requests and limits are required"
|
message: CPU and memory resource requests and limits are required
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- resources:
|
- resources:
|
||||||
requests:
|
|
||||||
memory: "?*"
|
|
||||||
cpu: "?*"
|
|
||||||
limits:
|
limits:
|
||||||
memory: "?*"
|
memory: ?*
|
||||||
|
requests:
|
||||||
|
cpu: ?*
|
||||||
|
memory: ?*
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,28 +1,34 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: select-secrets
|
name: select-secrets
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
validationFailureAction: enforce
|
|
||||||
rules:
|
rules:
|
||||||
- name: select-secrets-from-volumes
|
- context:
|
||||||
|
- apiCall:
|
||||||
|
jmesPath: metadata.labels.foo
|
||||||
|
method: GET
|
||||||
|
urlPath: /api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{request.object.spec.volumes[0].secret.secretName}}
|
||||||
|
name: volsecret
|
||||||
match:
|
match:
|
||||||
resources:
|
any:
|
||||||
kinds:
|
- resources:
|
||||||
- Pod
|
kinds:
|
||||||
context:
|
- Pod
|
||||||
- name: volsecret
|
name: select-secrets-from-volumes
|
||||||
apiCall:
|
|
||||||
urlPath: "/api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{request.object.spec.volumes[0].secret.secretName}}"
|
|
||||||
jmesPath: "metadata.labels.foo"
|
|
||||||
preconditions:
|
preconditions:
|
||||||
- key: "{{ request.operation }}"
|
all:
|
||||||
operator: Equals
|
- key: '{{ request.operation }}'
|
||||||
value: "CREATE"
|
operator: Equals
|
||||||
|
value: CREATE
|
||||||
validate:
|
validate:
|
||||||
message: "The Secret named {{request.object.spec.volumes[0].secret.secretName}} is restricted and may not be used."
|
message: The Secret named {{request.object.spec.volumes[0].secret.secretName}}
|
||||||
|
is restricted and may not be used.
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- image: "registry.domain.com/*"
|
- image: registry.domain.com/*
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
|
|
@ -1,56 +1,60 @@
|
||||||
apiVersion: kyverno.io/v1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: disallow-latest-tag
|
|
||||||
annotations:
|
|
||||||
policies.kyverno.io/category: Best Practices
|
|
||||||
policies.kyverno.io/description: >-
|
|
||||||
The ':latest' tag is mutable and can lead to unexpected errors if the
|
|
||||||
image changes. A best practice is to use an immutable tag that maps to
|
|
||||||
a specific version of an application pod.
|
|
||||||
spec:
|
|
||||||
validationFailureAction: audit
|
|
||||||
rules:
|
|
||||||
- name: validate-image-tag
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Pod
|
|
||||||
validate:
|
|
||||||
message: "Using a mutable image tag e.g. 'latest' is not allowed."
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- image: "!*:latest"
|
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: drop-all-capabilities
|
annotations:
|
||||||
|
policies.kyverno.io/category: Best Practices
|
||||||
|
policies.kyverno.io/description: The ':latest' tag is mutable and can lead to
|
||||||
|
unexpected errors if the image changes. A best practice is to use an immutable
|
||||||
|
tag that maps to a specific version of an application pod.
|
||||||
|
name: disallow-latest-tag
|
||||||
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
|
rules:
|
||||||
|
- match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Pod
|
||||||
|
name: validate-image-tag
|
||||||
|
validate:
|
||||||
|
message: Using a mutable image tag e.g. 'latest' is not allowed.
|
||||||
|
pattern:
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- image: '!*:latest'
|
||||||
|
validationFailureAction: Audit
|
||||||
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/scored: "false"
|
policies.kyverno.io/scored: "false"
|
||||||
|
name: drop-all-capabilities
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: require-drop-all
|
- match:
|
||||||
match:
|
any:
|
||||||
any:
|
- resources:
|
||||||
- resources:
|
kinds:
|
||||||
kinds:
|
- Pod
|
||||||
- Pod
|
name: require-drop-all
|
||||||
preconditions:
|
preconditions:
|
||||||
all:
|
all:
|
||||||
- key: "{{ request.operation }}"
|
- key: '{{ request.operation }}'
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: DELETE
|
value: DELETE
|
||||||
validate:
|
validate:
|
||||||
message: >-
|
foreach:
|
||||||
Containers must drop `ALL` capabilities.
|
- deny:
|
||||||
foreach:
|
conditions:
|
||||||
- list: request.object.spec.[ephemeralContainers, initContainers, containers][]
|
all:
|
||||||
deny:
|
- key: ALL
|
||||||
conditions:
|
operator: AnyNotIn
|
||||||
all:
|
value: '{{ element.securityContext.capabilities.drop || '''' }}'
|
||||||
- key: ALL
|
list: request.object.spec.[ephemeralContainers, initContainers, containers][]
|
||||||
operator: AnyNotIn
|
message: Containers must drop `ALL` capabilities.
|
||||||
value: "{{ element.securityContext.capabilities.drop || '' }}"
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,21 +1,23 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: validate-default-proc-mount
|
name: validate-default-proc-mount
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: "audit"
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-default-proc-mount
|
- match:
|
||||||
match:
|
|
||||||
all:
|
all:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-default-proc-mount
|
||||||
validate:
|
validate:
|
||||||
message: "Default proc mount should set to Unmasked"
|
message: Default proc mount should set to Unmasked
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- securityContext:
|
- securityContext:
|
||||||
procMount: Unmasked
|
procMount: Unmasked
|
||||||
# used by rootless containers
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,24 +1,24 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: validate-selinux-options
|
name: validate-selinux-options
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: "audit"
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-selinux-options
|
- match:
|
||||||
match:
|
any:
|
||||||
any:
|
- resources:
|
||||||
- resources:
|
kinds:
|
||||||
kinds:
|
- Pod
|
||||||
- Pod
|
name: validate-selinux-options
|
||||||
validate:
|
validate:
|
||||||
message: "SELinux level is required"
|
message: SELinux level is required
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- securityContext:
|
- securityContext:
|
||||||
seLinuxOptions:
|
seLinuxOptions:
|
||||||
level: "?*"
|
level: ?*
|
||||||
# level: "s0:c25,c968"
|
validationFailureAction: Audit
|
||||||
# If SELinux security module is loaded on the host operating system,
|
|
||||||
# we can make sure pods only have access to specified configured level
|
|
||||||
|
|
|
@ -1,25 +1,28 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: validate-volumes-whitelist
|
name: validate-volumes-whitelist
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: "audit"
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-volumes-whitelist
|
- match:
|
||||||
match:
|
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-volumes-whitelist
|
||||||
validate:
|
validate:
|
||||||
message: "Volume type is not of type hostPath, emptyDir, or configMap."
|
|
||||||
anyPattern:
|
anyPattern:
|
||||||
- spec:
|
- spec:
|
||||||
volumes:
|
volumes:
|
||||||
- hostPath: "*"
|
- hostPath: '*'
|
||||||
- spec:
|
- spec:
|
||||||
volumes:
|
volumes:
|
||||||
- emptyDir: "*"
|
- emptyDir: '*'
|
||||||
- spec:
|
- spec:
|
||||||
volumes:
|
volumes:
|
||||||
- configMap: "*"
|
- configMap: '*'
|
||||||
|
message: Volume type is not of type hostPath, emptyDir, or configMap.
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,29 +1,26 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: bug-demo
|
|
||||||
annotations:
|
annotations:
|
||||||
pod-policies.kyverno.io/autogen-controllers: "none"
|
pod-policies.kyverno.io/autogen-controllers: none
|
||||||
|
name: bug-demo
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
validationFailureAction: enforce
|
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
|
- match:
|
||||||
- name: mutate1
|
|
||||||
match:
|
|
||||||
all:
|
all:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- v1/Pod
|
- v1/Pod
|
||||||
mutate:
|
mutate:
|
||||||
foreach:
|
foreach:
|
||||||
- list: |-
|
- context:
|
||||||
request.object.spec.containers || `[]`
|
|
||||||
context:
|
|
||||||
- name: container_path
|
- name: container_path
|
||||||
variable:
|
variable:
|
||||||
value: "/spec/containers/{{ elementIndex }}"
|
value: /spec/containers/{{ elementIndex }}
|
||||||
|
list: request.object.spec.containers || `[]`
|
||||||
patchesJson6902: |-
|
patchesJson6902: |-
|
||||||
{{
|
{{
|
||||||
[
|
[
|
||||||
|
@ -82,3 +79,5 @@ spec:
|
||||||
|
|
|
|
||||||
to_string(@)
|
to_string(@)
|
||||||
}}
|
}}
|
||||||
|
name: mutate1
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
|
|
@ -1,50 +1,52 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: disable-connection-draining
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/title: Configure Connection Draining
|
|
||||||
policies.kyverno.io/category: Best Practices
|
policies.kyverno.io/category: Best Practices
|
||||||
policies.kyverno.io/subject: Service
|
policies.kyverno.io/subject: Service
|
||||||
|
policies.kyverno.io/title: Configure Connection Draining
|
||||||
|
name: disable-connection-draining
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: true
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: clb
|
- context:
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Service
|
|
||||||
context:
|
|
||||||
- name: connection_draining_check
|
- name: connection_draining_check
|
||||||
variable:
|
variable:
|
||||||
default: "empty"
|
default: empty
|
||||||
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled"
|
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled"
|
||||||
- name: nlb_check
|
- name: nlb_check
|
||||||
variable:
|
variable:
|
||||||
default: "false"
|
default: "false"
|
||||||
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-type"
|
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-type"
|
||||||
preconditions:
|
match:
|
||||||
all:
|
any:
|
||||||
- key: "{{ request.object.spec.type }}"
|
- resources:
|
||||||
operator: Equals
|
kinds:
|
||||||
value: "LoadBalancer"
|
- Service
|
||||||
- key: "{{ connection_draining_check }}"
|
|
||||||
operator: AnyIn
|
|
||||||
value: ["true", "empty"]
|
|
||||||
- key: "{{ nlb_check }}"
|
|
||||||
operator: AnyNotIn
|
|
||||||
value: ["external", "nlb"]
|
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: "false"
|
service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: "false"
|
||||||
- name: nlb-no-attributes
|
name: clb
|
||||||
match:
|
preconditions:
|
||||||
resources:
|
all:
|
||||||
kinds:
|
- key: '{{ request.object.spec.type }}'
|
||||||
- Service
|
operator: Equals
|
||||||
context:
|
value: LoadBalancer
|
||||||
|
- key: '{{ connection_draining_check }}'
|
||||||
|
operator: AnyIn
|
||||||
|
value:
|
||||||
|
- "true"
|
||||||
|
- empty
|
||||||
|
- key: '{{ nlb_check }}'
|
||||||
|
operator: AnyNotIn
|
||||||
|
value:
|
||||||
|
- external
|
||||||
|
- nlb
|
||||||
|
- context:
|
||||||
- name: nlb_check
|
- name: nlb_check
|
||||||
variable:
|
variable:
|
||||||
default: "false"
|
default: "false"
|
||||||
|
@ -53,19 +55,26 @@ spec:
|
||||||
variable:
|
variable:
|
||||||
default: "false"
|
default: "false"
|
||||||
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-target-group-attributes"
|
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-target-group-attributes"
|
||||||
preconditions:
|
match:
|
||||||
all:
|
any:
|
||||||
- key: "{{ request.object.spec.type }}"
|
- resources:
|
||||||
operator: Equals
|
kinds:
|
||||||
value: "LoadBalancer"
|
- Service
|
||||||
- key: "{{ nlb_check }}"
|
|
||||||
operator: Equals
|
|
||||||
value: "external"
|
|
||||||
- key: "{{ tg_attributes }}"
|
|
||||||
operator: Equals
|
|
||||||
value: "false"
|
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "deregistration_delay.connection_termination.enabled=true,deregistration_delay.timeout_seconds=0"
|
service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: deregistration_delay.connection_termination.enabled=true,deregistration_delay.timeout_seconds=0
|
||||||
|
name: nlb-no-attributes
|
||||||
|
preconditions:
|
||||||
|
all:
|
||||||
|
- key: '{{ request.object.spec.type }}'
|
||||||
|
operator: Equals
|
||||||
|
value: LoadBalancer
|
||||||
|
- key: '{{ nlb_check }}'
|
||||||
|
operator: Equals
|
||||||
|
value: external
|
||||||
|
- key: '{{ tg_attributes }}'
|
||||||
|
operator: Equals
|
||||||
|
value: "false"
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,22 +1,27 @@
|
||||||
apiVersion: kyverno.io/v1
|
---
|
||||||
kind: ClusterPolicy
|
apiVersion: kyverno.io/v1
|
||||||
metadata:
|
kind: ClusterPolicy
|
||||||
name: mutate-emptydir
|
metadata:
|
||||||
spec:
|
name: mutate-emptydir
|
||||||
rules:
|
spec:
|
||||||
- name: setDefault
|
admission: true
|
||||||
match:
|
background: true
|
||||||
resources:
|
rules:
|
||||||
kinds:
|
- match:
|
||||||
- Deployment
|
any:
|
||||||
mutate:
|
- resources:
|
||||||
foreach:
|
kinds:
|
||||||
- list: "request.object.spec.template.spec.volumes"
|
- Deployment
|
||||||
patchStrategicMerge:
|
mutate:
|
||||||
spec:
|
foreach:
|
||||||
template:
|
- list: request.object.spec.template.spec.volumes
|
||||||
spec:
|
patchStrategicMerge:
|
||||||
volumes:
|
spec:
|
||||||
- name: "{{ element.name }}"
|
template:
|
||||||
(emptyDir):
|
spec:
|
||||||
+(sizeLimit): "20Mi"
|
volumes:
|
||||||
|
- (emptyDir):
|
||||||
|
+(sizeLimit): 20Mi
|
||||||
|
name: '{{ element.name }}'
|
||||||
|
name: setDefault
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,26 +1,30 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: add-default-resources
|
|
||||||
annotations:
|
annotations:
|
||||||
pod-policies.kyverno.io/autogen-controllers: "none"
|
pod-policies.kyverno.io/autogen-controllers: none
|
||||||
|
name: add-default-resources
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
rules:
|
rules:
|
||||||
- name: add-default-requests
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
mutate:
|
mutate:
|
||||||
foreach:
|
foreach:
|
||||||
- list: "request.object.spec.containers"
|
- list: request.object.spec.containers
|
||||||
patchesJson6902: |-
|
patchesJson6902: |-
|
||||||
- path: /spec/containers/{{elementIndex}}/resources/requests/memory
|
- path: /spec/containers/{{elementIndex}}/resources/requests/memory
|
||||||
op: add
|
op: add
|
||||||
value: "100Mi"
|
value: "100Mi"
|
||||||
- list: "request.object.spec.containers"
|
- list: request.object.spec.containers
|
||||||
patchesJson6902: |-
|
patchesJson6902: |-
|
||||||
- path: /spec/containers/{{elementIndex}}/resources/requests/cpu
|
- path: /spec/containers/{{elementIndex}}/resources/requests/cpu
|
||||||
op: add
|
op: add
|
||||||
value: "100m"
|
value: "100m"
|
||||||
|
name: add-default-requests
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,47 +1,56 @@
|
||||||
apiVersion: kyverno.io/v1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: foreach-json-patch
|
|
||||||
annotations:
|
|
||||||
pod-policies.kyverno.io/autogen-controllers: none
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- name: add-security-context
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Pod
|
|
||||||
preconditions:
|
|
||||||
- key: "{{ request.operation }}"
|
|
||||||
operator: Equals
|
|
||||||
value: "CREATE"
|
|
||||||
mutate:
|
|
||||||
foreach:
|
|
||||||
- list: "request.object.spec.containers"
|
|
||||||
patchesJson6902: |-
|
|
||||||
- path: /spec/containers/{{elementIndex}}/securityContext
|
|
||||||
op: add
|
|
||||||
value: {"runAsNonRoot" : true}
|
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: mutate-images
|
|
||||||
annotations:
|
annotations:
|
||||||
pod-policies.kyverno.io/autogen-controllers: none
|
pod-policies.kyverno.io/autogen-controllers: none
|
||||||
|
name: foreach-json-patch
|
||||||
spec:
|
spec:
|
||||||
background: false
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: test
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
mutate:
|
mutate:
|
||||||
foreach:
|
foreach:
|
||||||
- list: "request.object.spec.containers"
|
- list: request.object.spec.containers
|
||||||
|
patchesJson6902: |-
|
||||||
|
- path: /spec/containers/{{elementIndex}}/securityContext
|
||||||
|
op: add
|
||||||
|
value: {"runAsNonRoot" : true}
|
||||||
|
name: add-security-context
|
||||||
|
preconditions:
|
||||||
|
all:
|
||||||
|
- key: '{{ request.operation }}'
|
||||||
|
operator: Equals
|
||||||
|
value: CREATE
|
||||||
|
validationFailureAction: Audit
|
||||||
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
pod-policies.kyverno.io/autogen-controllers: none
|
||||||
|
name: mutate-images
|
||||||
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: false
|
||||||
|
rules:
|
||||||
|
- match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Pod
|
||||||
|
mutate:
|
||||||
|
foreach:
|
||||||
|
- list: request.object.spec.containers
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: "{{ element.name }}"
|
- image: registry.digitalocean.com/runlevl4/{{ images.containers."{{element.name}}".name}}:{{images.containers."{{element.name}}".tag}}
|
||||||
image: registry.digitalocean.com/runlevl4/{{ images.containers."{{element.name}}".name}}:{{images.containers."{{element.name}}".tag}}
|
name: '{{ element.name }}'
|
||||||
|
name: test
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,29 +1,32 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: add-default-resources
|
name: add-default-resources
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
rules:
|
rules:
|
||||||
- name: add-default-requests
|
- match:
|
||||||
match:
|
|
||||||
any:
|
any:
|
||||||
- resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
preconditions:
|
|
||||||
any:
|
|
||||||
- key: "{{request.operation}}"
|
|
||||||
operator: In
|
|
||||||
value:
|
|
||||||
- CREATE
|
|
||||||
- UPDATE
|
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- (name): "*"
|
- (name): '*'
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
+(memory): "100Mi"
|
+(cpu): 100m
|
||||||
+(cpu): "100m"
|
+(memory): 100Mi
|
||||||
|
name: add-default-requests
|
||||||
|
preconditions:
|
||||||
|
any:
|
||||||
|
- key: '{{request.operation}}'
|
||||||
|
operator: AllIn
|
||||||
|
value:
|
||||||
|
- CREATE
|
||||||
|
- UPDATE
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,100 +1,107 @@
|
||||||
# Below there are both type of policies: ClusterPolicy and Policy(Namespaced-Policy)
|
---
|
||||||
|
|
||||||
#ClusterPolicy
|
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: add-label
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/title: Add nodeSelector
|
|
||||||
policies.kyverno.io/category: Sample
|
policies.kyverno.io/category: Sample
|
||||||
|
policies.kyverno.io/description: Labels are used as an important source of metadata
|
||||||
|
describing objects in various ways or triggering other functionality. Labels
|
||||||
|
are also a very basic concept and should be used throughout Kubernetes. This
|
||||||
|
policy performs a simple mutation which adds a label `color=orange` to Pods,
|
||||||
|
Services, ConfigMaps, and Secrets.
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/title: Add nodeSelector
|
||||||
Labels are used as an important source of metadata describing objects in various ways
|
name: add-label
|
||||||
or triggering other functionality. Labels are also a very basic concept and should be
|
|
||||||
used throughout Kubernetes. This policy performs a simple mutation which adds a label
|
|
||||||
`color=orange` to Pods, Services, ConfigMaps, and Secrets.
|
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
rules:
|
rules:
|
||||||
- name: add-label
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
color: orange
|
color: orange
|
||||||
- name: "impossible-rule"
|
name: add-label
|
||||||
match:
|
- match:
|
||||||
resources:
|
any:
|
||||||
kinds:
|
- resources:
|
||||||
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
preconditions:
|
|
||||||
all:
|
|
||||||
- key: "not-the-name" # This precondition should always fail!
|
|
||||||
operator: In
|
|
||||||
value: "{{ request.object.metadata.labels | keys(@) }}"
|
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
something: "something"
|
something: something
|
||||||
|
name: impossible-rule
|
||||||
|
preconditions:
|
||||||
|
all:
|
||||||
|
- key: not-the-name
|
||||||
|
operator: AllIn
|
||||||
|
value: '{{ request.object.metadata.labels | keys(@) }}'
|
||||||
|
validationFailureAction: Audit
|
||||||
---
|
---
|
||||||
|
|
||||||
# Policy ( In testing namespace )
|
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: Policy
|
kind: Policy
|
||||||
metadata:
|
metadata:
|
||||||
|
annotations:
|
||||||
|
policies.kyverno.io/category: Sample
|
||||||
|
policies.kyverno.io/description: The ndots value controls where DNS lookups are
|
||||||
|
first performed in a cluster and needs to be set to a lower value than the default
|
||||||
|
of 5 in some cases. This policy mutates all Pods to add the ndots option with
|
||||||
|
a value of 1.
|
||||||
|
policies.kyverno.io/subject: Pod
|
||||||
|
policies.kyverno.io/title: Add ndots
|
||||||
name: add-ndots
|
name: add-ndots
|
||||||
namespace: testing
|
namespace: testing
|
||||||
annotations:
|
|
||||||
policies.kyverno.io/title: Add ndots
|
|
||||||
policies.kyverno.io/category: Sample
|
|
||||||
policies.kyverno.io/subject: Pod
|
|
||||||
policies.kyverno.io/description: >-
|
|
||||||
The ndots value controls where DNS lookups are first performed in a cluster
|
|
||||||
and needs to be set to a lower value than the default of 5 in some cases.
|
|
||||||
This policy mutates all Pods to add the ndots option with a value of 1.
|
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
rules:
|
rules:
|
||||||
- name: add-ndots
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
spec:
|
spec:
|
||||||
dnsConfig:
|
dnsConfig:
|
||||||
options:
|
options:
|
||||||
- name: ndots
|
- name: ndots
|
||||||
value: "1"
|
value: "1"
|
||||||
|
name: add-ndots
|
||||||
|
validationFailureAction: Audit
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: example
|
name: example
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: object_from_lists
|
- context:
|
||||||
context:
|
- name: annotations
|
||||||
- name: annotations
|
variable:
|
||||||
variable:
|
jmesPath: items(request.object.metadata.annotations, 'key', 'value')[?starts_with(key,
|
||||||
jmesPath: items(request.object.metadata.annotations, 'key', 'value')[?starts_with(key, 'key')]
|
'key')]
|
||||||
- name: annotations
|
- name: annotations
|
||||||
variable:
|
variable:
|
||||||
jmesPath: object_from_lists(annotations[].key, annotations[].value)
|
jmesPath: object_from_lists(annotations[].key, annotations[].value)
|
||||||
match:
|
match:
|
||||||
resources:
|
any:
|
||||||
kinds:
|
- resources:
|
||||||
- Pod
|
kinds:
|
||||||
|
- Pod
|
||||||
mutate:
|
mutate:
|
||||||
patchesJson6902: |-
|
patchesJson6902: |-
|
||||||
- path: "/metadata/annotations"
|
- path: "/metadata/annotations"
|
||||||
op: replace
|
op: replace
|
||||||
value: {{ annotations }}
|
value: {{ annotations }}
|
||||||
|
name: object_from_lists
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,19 +1,23 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: add-default-labels
|
name: add-default-labels
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
rules:
|
rules:
|
||||||
- name: add-default-labels
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
- Service
|
- Service
|
||||||
- Namespace
|
- Namespace
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
custom-foo-label: my-bar-default
|
custom-foo-label: my-bar-default
|
||||||
|
name: add-default-labels
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,34 +1,39 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: add-pod-default-seccompprofile
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Security
|
policies.kyverno.io/category: Security
|
||||||
policies.kyverno.io/description: Seccomp Profiles restrict the system calls that can be made
|
policies.kyverno.io/description: Seccomp Profiles restrict the system calls that
|
||||||
from a process. The Linux kernel has a few hundred system calls, but most of them are not
|
can be made from a process. The Linux kernel has a few hundred system calls,
|
||||||
needed by any given process. If a process can be compromised and tricked into making other
|
but most of them are not needed by any given process. If a process can be compromised
|
||||||
system calls, though, it may lead to a security vulnerability that could result in the
|
and tricked into making other system calls, though, it may lead to a security
|
||||||
compromise of the whole system. By restricting what system calls can be made, seccomp is
|
vulnerability that could result in the compromise of the whole system. By restricting
|
||||||
a key component for building application sandboxes.
|
what system calls can be made, seccomp is a key component for building application
|
||||||
|
sandboxes.
|
||||||
|
name: add-pod-default-seccompprofile
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
validationFailureAction: audit
|
|
||||||
rules:
|
rules:
|
||||||
- name: add-pod-default-seccompprofile
|
- exclude:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
namespaces:
|
||||||
|
- kube-system
|
||||||
|
- kube-public
|
||||||
|
- default
|
||||||
|
- kyverno
|
||||||
match:
|
match:
|
||||||
resources:
|
any:
|
||||||
kinds:
|
- resources:
|
||||||
- Pod
|
kinds:
|
||||||
exclude:
|
- Pod
|
||||||
resources:
|
|
||||||
namespaces:
|
|
||||||
- "kube-system"
|
|
||||||
- "kube-public"
|
|
||||||
- "default"
|
|
||||||
- "kyverno"
|
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
spec:
|
spec:
|
||||||
securityContext:
|
securityContext:
|
||||||
seccompProfile:
|
seccompProfile:
|
||||||
type: RuntimeDefault
|
type: RuntimeDefault
|
||||||
|
name: add-pod-default-seccompprofile
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,35 +1,38 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: insert-podantiaffinity
|
name: insert-podantiaffinity
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: insert-podantiaffinity
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Deployment
|
- Deployment
|
||||||
preconditions:
|
mutate:
|
||||||
# This precondition ensures that the label `app` is applied to Pods within the Deployment resource.
|
patchStrategicMerge:
|
||||||
- key: "{{request.object.metadata.labels.app}}"
|
spec:
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
+(affinity):
|
||||||
|
+(podAntiAffinity):
|
||||||
|
+(preferredDuringSchedulingIgnoredDuringExecution):
|
||||||
|
- podAffinityTerm:
|
||||||
|
labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- '{{request.object.metadata.labels.app}}'
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
weight: 1
|
||||||
|
name: insert-podantiaffinity
|
||||||
|
preconditions:
|
||||||
|
all:
|
||||||
|
- key: '{{request.object.metadata.labels.app}}'
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: ""
|
value: ""
|
||||||
# Mutates the Deployment resource to add fields.
|
validationFailureAction: Audit
|
||||||
mutate:
|
|
||||||
patchStrategicMerge:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
# Add the `affinity` key and others if not already specified in the Deployment manifest.
|
|
||||||
+(affinity):
|
|
||||||
+(podAntiAffinity):
|
|
||||||
+(preferredDuringSchedulingIgnoredDuringExecution):
|
|
||||||
- weight: 1
|
|
||||||
podAffinityTerm:
|
|
||||||
topologyKey: "kubernetes.io/hostname"
|
|
||||||
labelSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: app
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
- "{{request.object.metadata.labels.app}}"
|
|
||||||
|
|
|
@ -1,22 +1,25 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: secrets-not-from-env-vars
|
name: secrets-not-from-env-vars
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
validationFailureAction: audit
|
|
||||||
rules:
|
rules:
|
||||||
- name: secrets-not-from-env-vars
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: secrets-not-from-env-vars
|
||||||
validate:
|
validate:
|
||||||
message: "Secrets must be mounted as volumes, not as environment variables."
|
message: Secrets must be mounted as volumes, not as environment variables.
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: "*"
|
- =(env):
|
||||||
=(env):
|
|
||||||
- =(valueFrom):
|
- =(valueFrom):
|
||||||
X(secretKeyRef): "null"
|
X(secretKeyRef): "null"
|
||||||
|
name: '*'
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,66 +1,64 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: validate-probes
|
|
||||||
annotations:
|
annotations:
|
||||||
# Only applies to pods originating from DaemonSet, Deployment, or StatefulSet.
|
|
||||||
pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
|
pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
|
||||||
|
name: validate-probes
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: enforce
|
admission: true
|
||||||
background: false
|
background: false
|
||||||
rules:
|
rules:
|
||||||
# Checks the first container in a Pod.
|
- match:
|
||||||
- name: validate-probes-c0
|
any:
|
||||||
match:
|
- resources:
|
||||||
resources:
|
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
validate:
|
name: validate-probes-c0
|
||||||
message: "Liveness and readiness probes cannot be the same."
|
validate:
|
||||||
# A `deny` rule is different in structure than a `validate` rule and inverts the check. It uses `conditions` written in JMESPath notation upon which to base its decisions.
|
deny:
|
||||||
deny:
|
conditions:
|
||||||
conditions:
|
- key: '{{ request.object.spec.containers[0].readinessProbe }}'
|
||||||
# In this condition, it checks the entire map structure of the `readinessProbe` against that of the `livenessProbe`. If both are found to be equal, the Pod creation
|
operator: Equals
|
||||||
# request will be denied.
|
value: '{{ request.object.spec.containers[0].livenessProbe }}'
|
||||||
- key: "{{ request.object.spec.containers[0].readinessProbe }}"
|
message: Liveness and readiness probes cannot be the same.
|
||||||
operator: Equals
|
- match:
|
||||||
value: "{{ request.object.spec.containers[0].livenessProbe }}"
|
any:
|
||||||
# Checks the second container in a Pod.
|
- resources:
|
||||||
- name: validate-probes-c1
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
validate:
|
name: validate-probes-c1
|
||||||
message: "Liveness and readiness probes cannot be the same."
|
validate:
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: "{{ request.object.spec.containers[1].readinessProbe }}"
|
- key: '{{ request.object.spec.containers[1].readinessProbe }}'
|
||||||
operator: Equals
|
operator: Equals
|
||||||
value: "{{ request.object.spec.containers[1].livenessProbe }}"
|
value: '{{ request.object.spec.containers[1].livenessProbe }}'
|
||||||
# Checks the third container in a Pod.
|
message: Liveness and readiness probes cannot be the same.
|
||||||
- name: validate-probes-c2
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
validate:
|
name: validate-probes-c2
|
||||||
message: "Liveness and readiness probes cannot be the same."
|
validate:
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: "{{ request.object.spec.containers[2].readinessProbe }}"
|
- key: '{{ request.object.spec.containers[2].readinessProbe }}'
|
||||||
operator: Equals
|
operator: Equals
|
||||||
value: "{{ request.object.spec.containers[2].livenessProbe }}"
|
value: '{{ request.object.spec.containers[2].livenessProbe }}'
|
||||||
# Checks the fourth container in a Pod.
|
message: Liveness and readiness probes cannot be the same.
|
||||||
- name: validate-probes-c3
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
validate:
|
name: validate-probes-c3
|
||||||
message: "Liveness and readiness probes cannot be the same."
|
validate:
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: "{{ request.object.spec.containers[3].readinessProbe }}"
|
- key: '{{ request.object.spec.containers[3].readinessProbe }}'
|
||||||
operator: Equals
|
operator: Equals
|
||||||
value: "{{ request.object.spec.containers[3].livenessProbe }}"
|
value: '{{ request.object.spec.containers[3].livenessProbe }}'
|
||||||
|
message: Liveness and readiness probes cannot be the same.
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
|
|
@ -1,24 +1,29 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: deployment-has-multiple-replicas
|
name: deployment-has-multiple-replicas
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: deployment-has-multiple-replicas
|
- exclude:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
|
||||||
- Deployment
|
|
||||||
exclude:
|
|
||||||
resources:
|
|
||||||
namespaces:
|
namespaces:
|
||||||
- kyverno
|
- kyverno
|
||||||
- kube-system
|
- kube-system
|
||||||
- kube-node-lease
|
- kube-node-lease
|
||||||
- kube-public
|
- kube-public
|
||||||
validate:
|
match:
|
||||||
message: "Deployments must have more than one replica to ensure availability."
|
any:
|
||||||
pattern:
|
- resources:
|
||||||
spec:
|
kinds:
|
||||||
replicas: ">1"
|
- Deployment
|
||||||
|
name: deployment-has-multiple-replicas
|
||||||
|
validate:
|
||||||
|
message: Deployments must have more than one replica to ensure availability.
|
||||||
|
pattern:
|
||||||
|
spec:
|
||||||
|
replicas: '>1'
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,33 +1,40 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: drop-all-capabilities
|
name: drop-all-capabilities
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: drop-all-containers
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: drop-all-containers
|
||||||
validate:
|
validate:
|
||||||
message: "Drop all must be defined for every container in the Pod."
|
message: Drop all must be defined for every container in the Pod.
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- securityContext:
|
- securityContext:
|
||||||
capabilities:
|
capabilities:
|
||||||
drop: ["ALL"]
|
drop:
|
||||||
- name: drop-all-initcontainers
|
- ALL
|
||||||
match:
|
- match:
|
||||||
resources:
|
any:
|
||||||
kinds:
|
- resources:
|
||||||
- Pod
|
kinds:
|
||||||
|
- Pod
|
||||||
|
name: drop-all-initcontainers
|
||||||
validate:
|
validate:
|
||||||
message: "Drop all must be defined for every container in the Pod."
|
message: Drop all must be defined for every container in the Pod.
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
initContainers:
|
initContainers:
|
||||||
- securityContext:
|
- securityContext:
|
||||||
capabilities:
|
capabilities:
|
||||||
drop: ["ALL"]
|
drop:
|
||||||
|
- ALL
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,22 +1,27 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: restrict-automount-sa-token
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Security
|
policies.kyverno.io/category: Security
|
||||||
policies.kyverno.io/description: Kubernetes automatically mounts service account
|
policies.kyverno.io/description: Kubernetes automatically mounts service account
|
||||||
credentials in each pod. The service account may be assigned roles allowing pods
|
credentials in each pod. The service account may be assigned roles allowing
|
||||||
to access API resources. To restrict access, opt out of auto-mounting tokens by
|
pods to access API resources. To restrict access, opt out of auto-mounting tokens
|
||||||
setting automountServiceAccountToken to false.
|
by setting automountServiceAccountToken to false.
|
||||||
|
name: restrict-automount-sa-token
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-automountServiceAccountToken
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-automountServiceAccountToken
|
||||||
validate:
|
validate:
|
||||||
message: "Auto-mounting of Service Account tokens is not allowed"
|
message: Auto-mounting of Service Account tokens is not allowed
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
automountServiceAccountToken: false
|
automountServiceAccountToken: false
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,22 +1,27 @@
|
||||||
apiVersion : kyverno.io/v1
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: restrict-ingress-classes
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Workload Management
|
policies.kyverno.io/category: Workload Management
|
||||||
policies.kyverno.io/description: It can be useful to restrict Ingress resources to a set of
|
policies.kyverno.io/description: It can be useful to restrict Ingress resources
|
||||||
known ingress classes that are allowed in the cluster. You can customize this policy to
|
to a set of known ingress classes that are allowed in the cluster. You can customize
|
||||||
allow ingress classes that are configured in the cluster.
|
this policy to allow ingress classes that are configured in the cluster.
|
||||||
|
name: restrict-ingress-classes
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-ingress
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Ingress
|
- Ingress
|
||||||
|
name: validate-ingress
|
||||||
validate:
|
validate:
|
||||||
message: "Unknown ingress class"
|
message: Unknown ingress class
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
kubernetes.io/ingress.class: "F5 | nginx"
|
kubernetes.io/ingress.class: F5 | nginx
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,17 +1,21 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: no-loadbalancers
|
name: no-loadbalancers
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: audit
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: no-LoadBalancer
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Service
|
- Service
|
||||||
|
name: no-LoadBalancer
|
||||||
validate:
|
validate:
|
||||||
message: "Service of type LoadBalancer is not allowed."
|
message: Service of type LoadBalancer is not allowed.
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
type: "!LoadBalancer"
|
type: '!LoadBalancer'
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,45 +1,53 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: validate-userid-groupid-fsgroup
|
|
||||||
annotations:
|
annotations:
|
||||||
policies.kyverno.io/category: Security Context
|
policies.kyverno.io/category: Security Context
|
||||||
policies.kyverno.io/description: All processes inside the pod can be made to run with specific user
|
policies.kyverno.io/description: All processes inside the pod can be made to run
|
||||||
and groupID by setting 'runAsUser' and 'runAsGroup' respectively. 'fsGroup' can be specified
|
with specific user and groupID by setting 'runAsUser' and 'runAsGroup' respectively.
|
||||||
to make sure any file created in the volume with have the specified groupID. These options can be
|
'fsGroup' can be specified to make sure any file created in the volume with
|
||||||
used to validate the IDs used for user and group.
|
have the specified groupID. These options can be used to validate the IDs used
|
||||||
|
for user and group.
|
||||||
|
name: validate-userid-groupid-fsgroup
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: validate-userid
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-userid
|
||||||
validate:
|
validate:
|
||||||
message: "User ID should be 1000"
|
message: User ID should be 1000
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
securityContext:
|
securityContext:
|
||||||
runAsUser: '1000'
|
runAsUser: "1000"
|
||||||
- name: validate-groupid
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-groupid
|
||||||
validate:
|
validate:
|
||||||
message: "Group ID should be 3000"
|
message: Group ID should be 3000
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
securityContext:
|
securityContext:
|
||||||
runAsGroup: '3000'
|
runAsGroup: "3000"
|
||||||
- name: validate-fsgroup
|
- match:
|
||||||
match:
|
any:
|
||||||
resources:
|
- resources:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
|
name: validate-fsgroup
|
||||||
validate:
|
validate:
|
||||||
message: "fsgroup should be 2000"
|
message: fsgroup should be 2000
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
securityContext:
|
securityContext:
|
||||||
fsGroup: '2000'
|
fsGroup: "2000"
|
||||||
|
validationFailureAction: Audit
|
||||||
|
|
|
@ -1,29 +1,31 @@
|
||||||
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: spread-pods
|
name: spread-pods
|
||||||
spec:
|
spec:
|
||||||
|
admission: true
|
||||||
|
background: true
|
||||||
rules:
|
rules:
|
||||||
- name: spread-pods-across-nodes
|
- match:
|
||||||
# Matches any Deployment with the label `distributed=required`
|
any:
|
||||||
match:
|
- resources:
|
||||||
resources:
|
|
||||||
kinds:
|
kinds:
|
||||||
- Deployment
|
- Deployment
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
distributed: required
|
distributed: required
|
||||||
# Mutates the incoming Deployment.
|
mutate:
|
||||||
mutate:
|
patchStrategicMerge:
|
||||||
patchStrategicMerge:
|
spec:
|
||||||
spec:
|
template:
|
||||||
template:
|
spec:
|
||||||
spec:
|
+(topologySpreadConstraints):
|
||||||
# Adds the topologySpreadConstraints field if non-existent in the request.
|
- labelSelector:
|
||||||
+(topologySpreadConstraints):
|
matchLabels:
|
||||||
- maxSkew: 1
|
distributed: required
|
||||||
topologyKey: zone
|
maxSkew: 1
|
||||||
whenUnsatisfiable: DoNotSchedule
|
topologyKey: zone
|
||||||
labelSelector:
|
whenUnsatisfiable: DoNotSchedule
|
||||||
matchLabels:
|
name: spread-pods-across-nodes
|
||||||
distributed: required
|
validationFailureAction: Audit
|
||||||
|
|
Loading…
Add table
Reference in a new issue