mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 18:38:40 +00:00
Code Activity

[Feature] Add posibility to set validationFailureAction by Policy ()

Browse source 
* Implement validationFailureActionByPolicy
* Update README.md
* Add artifacthub.io/changes entry
* Add Test Case
Signed-off-by: dschunack <dschunack@web.de>
This commit is contained in:
Daniel Schunack 2022-08-25 17:29:20 +02:00 committed by GitHub
parent cf0ee93de8
commit 7b31f456c9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
22 changed files with 90 additions and 6 deletions

4
charts/kyverno-policies/Chart.yaml
View file

@ -1,7 +1,7 @@
apiVersion: v2
type: application
name: kyverno-policies
version: v2.5.3
version: v2.5.4
appVersion: v1.7.3
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kubernetes Pod Security Standards implemented as Kyverno policies
@ -31,3 +31,5 @@ annotations:
description: Ensure preconditions are present with default values
- kind: added
description: Support for failurePolicy setting in kyverno-policies helm chart
- kind: added
description: Add posibility to set validationFailureAction by Policy

5
charts/kyverno-policies/README.md
View file

@ -2,7 +2,7 @@
Kubernetes Pod Security Standards implemented as Kyverno policies
![Version: v2.5.3](https://img.shields.io/badge/Version-v2.5.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.3](https://img.shields.io/badge/AppVersion-v1.7.3-informational?style=flat-square)
![Version: v2.5.4](https://img.shields.io/badge/Version-v2.5.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.3](https://img.shields.io/badge/AppVersion-v1.7.3-informational?style=flat-square)
## About
@ -67,8 +67,9 @@ The command removes all the Kubernetes components associated with the chart and
| podSecuritySeverity | string | `"medium"` | Pod Security Standard (`low`, `medium`, `high`). |
| podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. |
| includeOtherPolicies | list | `[]` | Additional policies to include from `other`. |
| validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
| failurePolicy | string | `"Fail"` | API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: https://kyverno.io/docs/writing-policies/policy-settings/ |
| validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
| validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. |
| validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
| policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
| policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |

2
charts/kyverno-policies/ci/test-values.yaml
View file

@ -1,6 +1,8 @@
podSecurityStandard: restricted
includeOtherPolicies:
- require-non-root-groups
validationFailureActionByPolicy:
require-non-root-groups: enforce
validationFailureActionOverrides:
all:
- action: audit

4
charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
View file

@ -18,7 +18,11 @@ metadata:
policies.kyverno.io/description: >-
Adding capabilities beyond those listed in the policy must be disallowed.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
View file

@ -19,7 +19,11 @@ metadata:
privileges. Pods should not be allowed access to host namespaces. This policy ensures
fields which make use of these host namespaces are unset or set to `false`.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
View file

@ -18,7 +18,11 @@ metadata:
Using host resources can be used to access shared data or escalate privileges
and should not be allowed. This policy ensures no hostPath volumes are in use.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
View file

@ -18,7 +18,11 @@ metadata:
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
field is unset or set to `0`.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
View file

@ -19,7 +19,11 @@ metadata:
policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures
the `hostProcess` field, if present, is set to `false`.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
View file

@ -17,7 +17,11 @@ metadata:
Privileged mode disables most security mechanisms and must not be allowed. This policy
ensures Pods do not call for privileged mode.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
View file

@ -19,7 +19,11 @@ metadata:
to deviate from the `Default` procMount requires setting a feature gate at the API
server.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
View file

@ -17,7 +17,11 @@ metadata:
SELinux options can be used to escalate privileges and should not be allowed. This policy
ensures that the `seLinuxOptions` field is undefined.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
View file

@ -20,7 +20,11 @@ metadata:
overrides to an allowed set of profiles. This policy ensures Pods do not
specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
View file

@ -19,7 +19,11 @@ metadata:
set to `RuntimeDefault` or `Localhost`.
spec:
background: {{ .Values.background }}
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
View file

@ -21,7 +21,11 @@ metadata:
This policy ensures that only those "safe" subsets can be specified in
a Pod.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/other/require-non-root-groups.yaml
View file

@ -19,7 +19,11 @@ metadata:
greater than zero (i.e., non root). A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
View file

@ -19,7 +19,11 @@ metadata:
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
all containers must explicitly drop `ALL` capabilities.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
View file

@ -17,7 +17,11 @@ metadata:
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
View file

@ -17,7 +17,11 @@ metadata:
Containers must be required to run as non-root users. This policy ensures
`runAsUser` is either unset or set to a number greater than zero.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
View file

@ -18,7 +18,11 @@ metadata:
`runAsNonRoot` is set to `true`. A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
View file

@ -20,7 +20,11 @@ metadata:
set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

4
charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
View file

@ -20,7 +20,11 @@ metadata:
limits usage of non-core volume types to those defined through PersistentVolumes.
This policy blocks any other type of volume other than those in the allow list.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}

13
charts/kyverno-policies/values.yaml
View file

@ -12,13 +12,20 @@ podSecurityPolicies: []
includeOtherPolicies: []
# - require-non-root-groups
# -- API server behavior if the webhook fails to respond ('Ignore', 'Fail')
# For more info: https://kyverno.io/docs/writing-policies/policy-settings/
failurePolicy: Fail
# -- Validation failure action (`audit`, `enforce`).
# For more info https://kyverno.io/docs/writing-policies/validate.
validationFailureAction: audit
# -- API server behavior if the webhook fails to respond ('Ignore', 'Fail')
# For more info: https://kyverno.io/docs/writing-policies/policy-settings/
failurePolicy: Fail
# -- Define validationFailureActionByPolicy for specific policies.
# Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies.
validationFailureActionByPolicy: {}
# disallow-capabilities-strict: enforce
# disallow-host-path: enforce
# disallow-host-ports: enforce
# -- Define validationFailureActionOverrides for specific policies.
# The overrides for `all` will apply to all policies.