update best practices section

2025-04-08 10:04:25 +00:00 · 2019-10-09 18:17:47 -07:00 · 2019-10-09 18:17:47 -07:00 · 904643acf0
commit 904643acf0
parent 1fe1a9b22b
1 changed files with 36 additions and 1 deletions
--- a/samples/README.md
+++ b/samples/README.md
@ -12,12 +12,47 @@ More information on each best-practice policy is provided below:

 By default, processes in a container run as a root user (uid 0). To prevent compromising the host, a best practice is to specify a least privileged user ID when building the container image, and require that application containers run as non root users. 

-**Policy YAML**: [deny_runasrootuser.yaml](best_practices/deny_runasrootuser.yaml) 
+***Policy YAML***: [deny_runasrootuser.yaml](best_practices/deny_runasrootuser.yaml) 

 **Aditional Information**
 * [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)


+## hostNetwork and hostPort not allowed
+
+Using `hostPort` and `hostNetwork` limits the number of nodes the pod can be scheduled on, as the pod is bound to the host thats its mapped to.
+To avoid this limitation, use a validate rule to make sure these attributes are set to null and false.
+
+***Policy YAML*** [disallow_host_network_hostport.yaml](best_practices/disallow_host_network_hostport.yaml)
+
+
+## Read-only root filesystem
+
+A read-only root file system helps to enforce an immutable infrastrucutre strategy, the container only need to write on mounted volume that persist the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system.
+
+***Policy YAML*** [require_readonly_rootfilesystem.yaml](best_practices/require_readonly_rootfilesystem.yaml)
+
+
+## Disallow hostPID and hostIPC
+Sharing the host's PID namespace allows vibility of process on the host, potentially exposing porcess information. 
+Sharing the host's IPC namespace allows container process to communicate with processes on the host. 
+To avoid pod container from having visilbility to host process space, we can check `hostPID` and `hostIPC` are set as `false`.
+
+***Policy YAML***[disallow_hostpid_hostipc.yaml](best_practices/disallow_hostpid_hostipc.yaml)
+
+
+## Disallow node port
+Node port ranged service is advertised to the public and can be scanned and probed from others exposing all nodes.
+NetworkPolicy resources can currently only control NodePorts by allowing or disallowing all traffic on them. Unless required it is recommend to disable use to service type `NodePort`.
+
+***Policy YAML***[disallow_node_port.yaml](best_practices/disallow_node_port.yaml)
+
+## Disable privileged containers
+A process within priveleged containers get almost the same priveleges that are available to processes outside a container providing almost unrestricited host access. With `securityContext.allowPrivilegeEscalation` enabled the process can gain ore priveleges that its parent.
+To restrcit the priveleges it is recommend to run pod containers with `securityContext.priveleged` as `false` and 
+`allowPrivilegeEscalation` as `false`
+
+***Policy YAML***[disallow_priviledged_priviligedescalation.yaml](best_practices/disallow_priviledged_priviligedescalation.yaml)
 # Additional Policies

 | Description                                       	| Policy                                                                                                                                                                                           	| Details                                                                                                                                                                                                                                                                                                                                     	|