diff --git a/definitions/install.yaml b/definitions/install.yaml index dce2f84e0a..ec3c86eb87 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -307,7 +307,7 @@ spec: serviceAccountName: kyverno-service-account containers: - name: kyverno - image: nirmata/kyverno:latest + image: nirmata/kyverno:v0.11.0 args: - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" # customize webhook timout diff --git a/samples/DisallowHostFS.md b/samples/DisallowHostFS.md index 816c32fc52..a1a407e42f 100644 --- a/samples/DisallowHostFS.md +++ b/samples/DisallowHostFS.md @@ -1,6 +1,6 @@ -# Disallow use of host filesystem +# Disallow use of bind mounts (`hostPath` volumes) -The volume of type `hostpath` allows pods to use host directories and volume mounted to a host path. This binds pods to a specific host, and data persisted in the volume is coupled to the life of the node. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes). +The volume of type `hostPath` allows pods to use host bind mounts (i.e. directories and volumes mounted to a host path) in containers. Using host resources can be used to access shared data or escalate priviliges. Also, this couples pods to a specific host and data persisted in the `hostPath` volume is coupled to the life of the node leading to potential pod scheduling failures. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes). ## Policy YAML diff --git a/samples/README.md b/samples/README.md index 6479a7eb53..af19e1b491 100644 --- a/samples/README.md +++ b/samples/README.md @@ -11,12 +11,23 @@ kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/inst **Apply Kyverno Policies** +To start applying policies to your cluster, first clone the repo: + ````bash +git clone https://github.com/nirmata/kyverno.git +cd kyverno +```` -kubectl create -f https://github.com/nirmata/kyverno/raw/master/samples/best_practices/ +Import best_practices from [here](best_pratices): -kubectl create -f https://github.com/nirmata/kyverno/raw/master/samples/more/ +````bash +kubectl create -f samples/best_practices +```` +Import addition policies from [here](more): + +````bash +kubectl create -f samples/more/ ```` The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince. @@ -29,7 +40,7 @@ These policies are highly recommended. 2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md) 3. [Disallow new capabilities](DisallowNewCapabilities.md) 4. [Require Read-only root filesystem](RequireReadOnlyFS.md) -5. [Disallow use of host filesystem](DisallowHostFS.md) +5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md) 6. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md) 7. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md) 8. [Disallow unknown image registries](DisallowUnknownRegistries.md) diff --git a/samples/best_practices/disallow_host_filesystem.yaml b/samples/best_practices/disallow_host_filesystem.yaml index a9b6b988f6..7ad0596f67 100644 --- a/samples/best_practices/disallow_host_filesystem.yaml +++ b/samples/best_practices/disallow_host_filesystem.yaml @@ -4,9 +4,13 @@ metadata: name: "deny-use-of-host-fs" annotations: policies.kyverno.io/category: Data Protection - policies.kyverno.io/description: The volume of type 'hostpath' binds pods to a specific host, - and data persisted in the volume is dependent on the life of the node. In a shared cluster, - it is recommeded that applications are independent of hosts. + policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind + mounts (i.e. directories and volumes mounted to a host path) in containers. Using host + resources can be used to access shared data or escalate priviliges. Also, this couples pods + to a specific host and data persisted in the `hostPath` volume is coupled to the life of the + node leading to potential pod scheduling failures. It is highly recommeded that applications + are designed to be decoupled from the underlying infrstructure (in this case, nodes). + spec: rules: - name: "deny-use-of-host-fs" diff --git a/samples/best_practices/policy_validate_deny_runasrootuser.yaml b/samples/best_practices/policy_validate_deny_runasrootuser.yaml deleted file mode 100644 index 3938e33998..0000000000 --- a/samples/best_practices/policy_validate_deny_runasrootuser.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-deny-runasrootuser -spec: - rules: - - name: deny-runasrootuser - match: - resources: - kinds: - - Pod - validate: - message: "Root user is not allowed. Set runAsNonRoot to true." - anyPattern: - - spec: - securityContext: - runAsNonRoot: true - - spec: - containers: - - name: "*" - securityContext: - runAsNonRoot: true \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml b/test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml index 6f6e9497b8..ae6e8116a3 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml @@ -1,6 +1,6 @@ # file path relative to project root input: - policy: samples/best_practices/policy_validate_deny_runasrootuser.yaml + policy: samples/best_practices/deny_runasrootuser.yaml resource: test/resources/resource_validate_nonRootUser.yaml expected: validation: