mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 10:28:36 +00:00
Code Activity

chore: apply policy fixes (#8425)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-09-15 18:18:46 +02:00 committed by GitHub
parent 27b9ddea5d
commit 9361100f17
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 239 additions and 202 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
test/cli/registry/image-example.yaml
View file

@ -4,68 +4,76 @@ kind: ClusterPolicy
metadata:
name: images
spec:
validationFailureAction: enforce
admission: true
background: true
rules:
- name: only-allow-trusted-images
match:
resources:
kinds:
- Pod
- match:
any:
- resources:
kinds:
- Pod
name: only-allow-trusted-images
preconditions:
- key: "{{request.operation}}"
all:
- key: '{{request.operation}}'
operator: NotEquals
value: DELETE
validate:
message: "images with root user are not allowed"
foreach:
- list: "request.object.spec.containers"
context:
- name: imageData
imageRegistry:
reference: "{{ element.image }}"
- context:
- imageRegistry:
reference: '{{ element.image }}'
name: imageData
deny:
conditions:
all:
- key: "{{ imageData.configData.config.User || ''}}"
operator: Equals
value: ""
- key: "{{ imageData.registry }}"
operator: NotEquals
value: "ghcr.io"
- key: '{{ imageData.configData.config.User || ''''}}'
operator: Equals
value: ""
- key: '{{ imageData.registry }}'
operator: NotEquals
value: ghcr.io
list: request.object.spec.containers
message: images with root user are not allowed
validationFailureAction: Enforce
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-image-base
spec:
validationFailureAction: enforce
admission: true
background: true
rules:
- name: check-image-base-rule
match:
- match:
any:
- resources:
kinds:
- Pod
name: check-image-base-rule
preconditions:
all:
- key: "{{request.operation}}"
- key: '{{request.operation}}'
operator: NotEquals
value: DELETE
validate:
message: "Images must specify a source/base image from which they are built to be valid."
foreach:
- list: "request.object.spec.containers"
context:
- name: imageData
imageRegistry:
reference: "{{ element.image }}"
- context:
- imageRegistry:
reference: '{{ element.image }}'
name: imageData
- name: mobysource
variable:
jmesPath: imageData.configData."moby.buildkit.buildinfo.v1" | base64_decode(@).parse_json(@) | sources[].ref | length(@)
default: 0
jmesPath: imageData.configData."moby.buildkit.buildinfo.v1" | base64_decode(@).parse_json(@)
| sources[].ref | length(@)
deny:
conditions:
all:
- key: "{{ mobysource }}"
operator: Equals
value: 0
- key: '{{ mobysource }}'
operator: Equals
value: 0
list: request.object.spec.containers
message: Images must specify a source/base image from which they are built to
be valid.
validationFailureAction: Enforce

48
test/cli/test-fail/invalid-ns/policy.yaml
View file

@ -1,35 +1,39 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-labels
annotations:
policies.kyverno.io/category: Labels
policies.kyverno.io/description: This policy prevents the use of an label beginning
with a common key name (in this case "platform.das-schiff.telekom.de/owner |
owner"). This can be useful to ensure users either don't set reserved labels
or to force them to use a newer version of an label.
policies.kyverno.io/minversion: 1.3.0
policies.kyverno.io/title: Restrict Labels on Namespaces
labels:
policy.schiff.telekom.de: enforced
annotations:
policies.kyverno.io/title: Restrict Labels on Namespaces
policies.kyverno.io/category: Labels
policies.kyverno.io/minversion: 1.3.0
policies.kyverno.io/description: >-
This policy prevents the use of an label beginning with a common
key name (in this case "platform.das-schiff.telekom.de/owner | owner"). This can be useful to ensure users either
don't set reserved labels or to force them to
use a newer version of an label.
name: restrict-labels
spec:
validationFailureAction: enforce
admission: true
background: false
rules:
- name: restrict-labels
- exclude:
any:
- clusterRoles:
- cluster-admin
resources: {}
match:
resources:
kinds:
- Namespace
exclude:
clusterRoles:
- cluster-admin
any:
- resources:
kinds:
- Namespace
name: restrict-labels
validate:
message: 'Every namespace has to have `platform.das-schiff.telekom.de/owner` label. It must not have value `das-schiff` which is reserved for system namespaces'
message: Every namespace has to have `platform.das-schiff.telekom.de/owner`
label. It must not have value `das-schiff` which is reserved for system namespaces
pattern:
metadata:
labels:
platform.das-schiff.telekom.de/owner: "!das-schiff"
# For forward compatibility
=(schiff.telekom.de/owner): "!schiff"
=(schiff.telekom.de/owner): '!schiff'
platform.das-schiff.telekom.de/owner: '!das-schiff'
validationFailureAction: Enforce

52
test/cli/test-fail/missing-policy/policy.yaml
View file

@ -1,39 +1,43 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
policies.kyverno.io/category: Best Practices
policies.kyverno.io/description: >-
The ':latest' tag is mutable and can lead to unexpected errors if the
image changes. A best practice is to use an immutable tag that maps to
a specific version of an application pod.
policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead
to unexpected errors if the image changes. A best practice is to use an immutable
tag that maps to a specific version of an application pod. '
name: disallow-latest-tag
spec:
validationFailureAction: audit
admission: true
background: true
rules:
- name: require-image-tag
match:
resources:
kinds:
- Pod
namespaces:
- test
- match:
any:
- resources:
kinds:
- Pod
namespaces:
- test
name: require-image-tag
validate:
message: "An image tag is required."
message: An image tag is required.
pattern:
spec:
containers:
- image: "*:*"
- name: validate-image-tag
match:
resources:
kinds:
- Pod
namespaces:
- test
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
namespaces:
- test
name: validate-image-tag
validate:
message: "Using a mutable image tag e.g. 'latest' is not allowed."
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: "!*:latest"
- image: '!*:latest'
validationFailureAction: Audit

52
test/cli/test-fail/missing-resource/policy.yaml
View file

@ -1,39 +1,43 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
policies.kyverno.io/category: Best Practices
policies.kyverno.io/description: >-
The ':latest' tag is mutable and can lead to unexpected errors if the
image changes. A best practice is to use an immutable tag that maps to
a specific version of an application pod.
policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead
to unexpected errors if the image changes. A best practice is to use an immutable
tag that maps to a specific version of an application pod. '
name: disallow-latest-tag
spec:
validationFailureAction: audit
admission: true
background: true
rules:
- name: require-image-tag
match:
resources:
kinds:
- Pod
namespaces:
- test
- match:
any:
- resources:
kinds:
- Pod
namespaces:
- test
name: require-image-tag
validate:
message: "An image tag is required."
message: An image tag is required.
pattern:
spec:
containers:
- image: "*:*"
- name: validate-image-tag
match:
resources:
kinds:
- Pod
namespaces:
- test
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
namespaces:
- test
name: validate-image-tag
validate:
message: "Using a mutable image tag e.g. 'latest' is not allowed."
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: "!*:latest"
- image: '!*:latest'
validationFailureAction: Audit

52
test/cli/test-fail/missing-rule/policy.yaml
View file

@ -1,39 +1,43 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
policies.kyverno.io/category: Best Practices
policies.kyverno.io/description: >-
The ':latest' tag is mutable and can lead to unexpected errors if the
image changes. A best practice is to use an immutable tag that maps to
a specific version of an application pod.
policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead
to unexpected errors if the image changes. A best practice is to use an immutable
tag that maps to a specific version of an application pod. '
name: disallow-latest-tag
spec:
validationFailureAction: audit
admission: true
background: true
rules:
- name: require-image-tag
match:
resources:
kinds:
- Pod
namespaces:
- test
- match:
any:
- resources:
kinds:
- Pod
namespaces:
- test
name: require-image-tag
validate:
message: "An image tag is required."
message: An image tag is required.
pattern:
spec:
containers:
- image: "*:*"
- name: validate-image-tag
match:
resources:
kinds:
- Pod
namespaces:
- test
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
namespaces:
- test
name: validate-image-tag
validate:
message: "Using a mutable image tag e.g. 'latest' is not allowed."
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: "!*:latest"
- image: '!*:latest'
validationFailureAction: Audit

50
test/cli/test-generate/add-network-policy/policy.yaml
View file

@ -1,37 +1,41 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-networkpolicy
annotations:
policies.kyverno.io/title: Add Network Policy
policies.kyverno.io/category: Multi-Tenancy
policies.kyverno.io/description: 'By default, Kubernetes allows communications
across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in
that supports NetworkPolicy must be used to restrict communications. A default
NetworkPolicy should be configured for each Namespace to default deny all ingress
and egress traffic to the Pods in the Namespace. Application teams can then
configure additional NetworkPolicy resources to allow desired traffic to application
Pods from select sources. This policy will create a new NetworkPolicy resource
named `default-deny` which will deny all traffic anytime a new Namespace is
created. '
policies.kyverno.io/subject: NetworkPolicy
policies.kyverno.io/description: >-
By default, Kubernetes allows communications across all Pods within a cluster.
The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict
communications. A default NetworkPolicy should be configured for each Namespace to
default deny all ingress and egress traffic to the Pods in the Namespace. Application
teams can then configure additional NetworkPolicy resources to allow desired traffic
to application Pods from select sources. This policy will create a new NetworkPolicy resource
named `default-deny` which will deny all traffic anytime a new Namespace is created.
policies.kyverno.io/title: Add Network Policy
name: add-networkpolicy
spec:
admission: true
background: true
rules:
- name: default-deny
match:
resources:
kinds:
- Namespace
generate:
- generate:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-deny
namespace: "{{request.object.metadata.name}}"
synchronize: true
data:
spec:
# select all pods in the namespace
podSelector: {}
# deny all traffic
policyTypes:
- Ingress
- Egress
- Egress
kind: NetworkPolicy
name: default-deny
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
name: default-deny
validationFailureAction: Audit

71
test/cli/test-generate/add-quota/policy.yaml
View file

@ -1,48 +1,42 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-ns-quota
annotations:
policies.kyverno.io/title: Add Quota
policies.kyverno.io/category: Multi-Tenancy
policies.kyverno.io/description: 'To better control the number of resources that
can be created in a given Namespace and provide default resource consumption
limits for Pods, ResourceQuota and LimitRange resources are recommended. This
policy will generate ResourceQuota and LimitRange resources when a new Namespace
is created. '
policies.kyverno.io/subject: ResourceQuota, LimitRange
policies.kyverno.io/description: >-
To better control the number of resources that can be created in a given
Namespace and provide default resource consumption limits for Pods,
ResourceQuota and LimitRange resources are recommended.
This policy will generate ResourceQuota and LimitRange resources when
a new Namespace is created.
policies.kyverno.io/title: Add Quota
name: add-ns-quota
spec:
admission: true
background: true
rules:
- name: generate-resourcequota
match:
resources:
kinds:
- Namespace
generate:
- generate:
apiVersion: v1
kind: ResourceQuota
name: default-resourcequota
synchronize: true
namespace: "{{request.object.metadata.name}}"
data:
spec:
hard:
requests.cpu: '4'
requests.memory: '16Gi'
limits.cpu: '4'
limits.memory: '16Gi'
- name: generate-limitrange
match:
resources:
kinds:
- Namespace
generate:
apiVersion: v1
kind: LimitRange
name: default-limitrange
limits.cpu: "4"
limits.memory: 16Gi
requests.cpu: "4"
requests.memory: 16Gi
kind: ResourceQuota
name: default-resourcequota
namespace: '{{request.object.metadata.name}}'
synchronize: true
namespace: "{{request.object.metadata.name}}"
match:
any:
- resources:
kinds:
- Namespace
name: generate-resourcequota
- generate:
apiVersion: v1
data:
spec:
limits:
@ -52,4 +46,15 @@ spec:
defaultRequest:
cpu: 200m
memory: 256Mi
type: Container
type: Container
kind: LimitRange
name: default-limitrange
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
name: generate-limitrange
validationFailureAction: Audit

42
test/cli/test-generate/sync-secrets/policy.yaml
View file

@ -1,31 +1,35 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-secrets
annotations:
policies.kyverno.io/title: Sync Secrets
policies.kyverno.io/category: Sample
policies.kyverno.io/description: 'Secrets like registry credentials often need
to exist in multiple Namespaces so Pods there have access. Manually duplicating
those Secrets is time consuming and error prone. This policy will copy a Secret
called `regcred` which exists in the `default` Namespace to new Namespaces when
they are created. It will also push updates to the copied Secrets should the
source Secret be changed. '
policies.kyverno.io/subject: Secret
policies.kyverno.io/description: >-
Secrets like registry credentials often need to exist in multiple
Namespaces so Pods there have access. Manually duplicating those Secrets
is time consuming and error prone. This policy will copy a
Secret called `regcred` which exists in the `default` Namespace to
new Namespaces when they are created. It will also push updates to
the copied Secrets should the source Secret be changed.
policies.kyverno.io/title: Sync Secrets
name: sync-secrets
spec:
admission: true
background: true
rules:
- name: sync-image-pull-secret
match:
resources:
kinds:
- Namespace
generate:
- generate:
apiVersion: v1
clone:
name: regcred
namespace: default
kind: Secret
name: regcred
namespace: "{{request.object.metadata.name}}"
namespace: '{{request.object.metadata.name}}'
synchronize: true
clone:
namespace: default
name: regcred
match:
any:
- resources:
kinds:
- Namespace
name: sync-image-pull-secret
validationFailureAction: Audit