Merge branch 'master' into 410_no_new_capabilities

2025-03-29 10:55:05 +00:00 · 2019-11-01 14:53:56 -07:00 · 2019-11-01 14:53:56 -07:00 · 8ddd9f036f
commit 8ddd9f036f
parent 4fbc57bfed 6fa53a2304
6 changed files with 25 additions and 32 deletions
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@ -307,7 +307,7 @@ spec:
      serviceAccountName: kyverno-service-account
      containers:
        - name: kyverno
-          image: nirmata/kyverno:latest
+          image: nirmata/kyverno:v0.11.0
          args:
          - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
          # customize webhook timout
--- a/samples/DisallowHostFS.md
+++ b/samples/DisallowHostFS.md
@ -1,6 +1,6 @@
-# Disallow use of host filesystem
+# Disallow use of bind mounts (`hostPath` volumes)

-The volume of type `hostpath` allows pods to use host directories and volume mounted to a host path. This binds pods to a specific host, and data persisted in the volume is coupled to the life of the node. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes).
+The volume of type `hostPath` allows pods to use host bind mounts (i.e. directories and volumes mounted to a host path) in containers. Using host resources can be used to access shared data or escalate priviliges. Also, this couples pods to a specific host and data persisted in the `hostPath` volume is coupled to the life of the node leading to potential pod scheduling failures. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes).

 ## Policy YAML 

--- a/samples/README.md
+++ b/samples/README.md
@ -11,12 +11,23 @@ kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/inst

 **Apply Kyverno Policies**

+To start applying policies to your cluster, first clone the repo:
+
 ````bash
+git clone https://github.com/nirmata/kyverno.git
+cd kyverno
+````

-kubectl create -f https://github.com/nirmata/kyverno/raw/master/samples/best_practices/
+Import best_practices from [here](best_pratices):

-kubectl create -f https://github.com/nirmata/kyverno/raw/master/samples/more/
+````bash
+kubectl create -f samples/best_practices
+````

+Import addition policies from [here](more):
+
+````bash
+kubectl create -f samples/more/
 ````

 The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.
@ -29,7 +40,7 @@ These policies are highly recommended.
 2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md)
 3. [Disallow new capabilities](DisallowNewCapabilities.md)
 4. [Require Read-only root filesystem](RequireReadOnlyFS.md)
-5. [Disallow use of host filesystem](DisallowHostFS.md)
+5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)
 6. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
 7. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
 8. [Disallow unknown image registries](DisallowUnknownRegistries.md)
--- a/samples/best_practices/disallow_host_filesystem.yaml
+++ b/samples/best_practices/disallow_host_filesystem.yaml
@ -4,9 +4,13 @@ metadata:
  name: "deny-use-of-host-fs"
  annotations:
    policies.kyverno.io/category: Data Protection
-    policies.kyverno.io/description: The volume of type 'hostpath' binds pods to a specific host, 
-      and data persisted in the volume is dependent on the life of the node. In a shared cluster, 
-      it is recommeded that applications are independent of hosts.
+    policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind 
+      mounts (i.e. directories and volumes mounted to a host path) in containers. Using host 
+      resources can be used to access shared data or escalate priviliges. Also, this couples pods 
+      to a specific host and data persisted in the `hostPath` volume is coupled to the life of the 
+      node leading to potential pod scheduling failures. It is highly recommeded that applications 
+      are designed to be decoupled from the underlying infrstructure (in this case, nodes).
+
 spec: 
  rules: 
  - name: "deny-use-of-host-fs"
--- a/samples/best_practices/policy_validate_deny_runasrootuser.yaml
+++ b/samples/best_practices/policy_validate_deny_runasrootuser.yaml
@ -1,22 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-deny-runasrootuser
-spec:
-  rules:
-  - name: deny-runasrootuser
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Root user is not allowed. Set runAsNonRoot to true."
-      anyPattern:
-      - spec:
-          securityContext:
-            runAsNonRoot: true
-      - spec:
-          containers:
-          - name: "*"
-            securityContext:
-              runAsNonRoot: true
--- a/test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml
+++ b/test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml
@ -1,6 +1,6 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/policy_validate_deny_runasrootuser.yaml
+  policy: samples/best_practices/deny_runasrootuser.yaml
  resource: test/resources/resource_validate_nonRootUser.yaml
 expected:
  validation: