start best practice policies

examples/best_practices/README.md

@@ -0,0 +1,23 @@
+# Best Practice Policies
+
+This folder contains recommended policies
+
+| Best practice                                  | Policy
+|------------------------------------------------|-----------------------------------------------------------------------|-
+| Run as non-root user                           | 
+| Disallow privileged and privilege escalation   |
+| Disallow use of host networking and ports      |
+| Disallow use of host filesystem                |
+| Disallow hostPOD and hostIPC                   |
+| Require read only root filesystem              |
+| Disallow node ports                            |
+| Allow trusted registries                       |
+| Require resource requests and limits           | [container_resources.yaml](container_resources.yaml)
+| Require pod liveness and readiness probes      |
+| Require an image tag                           |
+| Disallow latest tag and pull IfNotPresent      |
+| Require a namespace (disallow default)         |
+| Disallow use of kube-system namespace          |
+| Prevent mounting of service account secret     |
+| Require a default network policy               |
+| Require namespace quotas and limit ranges      |

examples/best_practices/resources/nginx-deployment.yaml

@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  labels: 
+    app: "nirmata-nginx"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest

examples/best_practices/validate_container_security_context.yaml

@@ -0,0 +1,49 @@
+apiVersion: kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: check-container-security-context
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: check-root-user
+    exclude:
+      namespace: kube-system
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Root user is not allowed. Set runAsNonRoot to true."
+      # See https://github.com/nirmata/kyverno/issues/285
+      # anyPattern:
+      #  - spec:
+      #      securityContext:            
+      #        runAsNonRoot: true
+      pattern:
+        spec:
+          containers:
+          - name: "*"
+            securityContext:
+              runAsNonRoot: true
+  - name: check-privilege
+    exclude:
+      namespace: kube-system
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false"
+      # See https://github.com/nirmata/kyverno/issues/285
+      # anyPattern:
+      #  - spec:
+      #    securityContext:            
+      #     allowPrivilegeEscalation: false
+      #     privileged: false   
+      pattern:
+        spec:
+          containers:
+          - name: "*"
+            securityContext:
+              allowPrivilegeEscalation: false
+              privileged: false

examples/best_practices/validate_default_namespace.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: validate-namespace
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: check-default-namespace
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "A namespace is required"
+      anyPattern:
+        - metadata:
+            namespace: "?*"
+        - metadata:
+            namespace: "!default"

examples/best_practices/validate_host_network_port.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: validate-host-network-port
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: validate-host-network-port
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Host network and port are not allowed"
+      pattern:
+        spec:
+          hostNetwork: false
+          containers:          
+          - name: "*" # is name necessary??
+            ports:
+              hostPort: null
+

examples/best_practices/validate_host_path.yaml

@@ -0,0 +1,39 @@
+# apiVersion : kyverno.io/v1alpha1
+# kind: Policy
+# metadata:
+#   name: validate-host-dirs
+# spec:
+#   rules:
+#   - name: validate-host-path
+#     match:
+#       resources:
+#         kinds:
+#         - Pod
+#     validate:
+#       message: "Host path is not allowed"
+#       pattern:
+#         spec:
+#           volumes:
+#           - (name): "*"
+#             hostPath:
+#               path: ""
+
+apiVersion : kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: validate-host-path
+spec:
+  rules:
+  - name: validate-host-path
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Host path '/var/lib/' is not allowed"
+      pattern:
+        spec:
+          volumes:
+          - (name): "*"
+            +(hostPath):
+              path: "!/var/lib/*"

examples/best_practices/validate_image_registries.yaml

@@ -0,0 +1,19 @@
+apiVersion : kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: validate-image-registry
+spec:
+  rules:
+  - name: validate-image-registry
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Image registry is not allowed"
+      pattern:
+        spec:
+          containers:
+          - name: "*"
+            # Check allowed registries
+            image: "*nirmata* | https://private.registry.io/*"

examples/best_practices/validate_image_tag.yaml

@@ -0,0 +1,34 @@
+apiVersion : kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  annotations:
+    kyverno.io/category: images
+    kyverno.io/description: |
+      ......
+  name: validate-image
+spec:
+  rules:
+  - name: validate-tag
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "An image tag is required"    
+      pattern:
+        spec:
+          containers:
+          - image: "*:*"  
+  - name: validate-latest
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "imagePullPolicy 'Always' required with tag 'latest'"    
+      pattern:
+        spec:
+          containers:
+          - (image): "*latest"
+            imagePullPolicy: Always
+

examples/best_practices/validate_pod_probes.yaml

@@ -0,0 +1,25 @@
+apiVersion: kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: validate-probes
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: check-probes
+    match:
+      resources:
+        kinds:
+        - Pod
+    # exclude:
+    #   namespaces:
+    #     - kube-system
+    validate:
+      message: "Liveness and readiness probes are required"
+      pattern:
+        spec:
+          containers:
+            livenessProbe:
+              periodSeconds: ">0"      
+            readinessProbe:
+              periodSeconds: ">0"
+

examples/best_practices/validate_pod_resources.yaml

@@ -0,0 +1,25 @@
+apiVersion: kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: check-resources
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: check-pod-resources
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "CPU and memory resource requests and limits are required"
+      pattern:
+        spec:
+          containers:
+          - name: "*"
+            resources:
+              requests:
+                memory: "?*"
+                cpu: "?*"
+              limits:
+                memory: "?*"
+                cpu: "?*"

vendor/gotest.tools/fs/testdata/copy-test-with-symlink/a/b/3

@@ -1 +1 @@
-/some/inexistent/link
+C:/some/inexistent/link