From a0539f1d76a3c00e5948a43f615622a2ce975c73 Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Wed, 11 Nov 2020 20:30:59 -0500 Subject: [PATCH] update README with new policies --- samples/README.md | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/samples/README.md b/samples/README.md index 51969a442c..9bc3163784 100644 --- a/samples/README.md +++ b/samples/README.md @@ -9,32 +9,34 @@ The policies are mostly validation rules in `audit` mode i.e. your existing work These policies are highly recommended. 1. [Disallow root user](DisallowRootUser.md) -2. [Disallow privileged containers](DisallowPrivilegedContainers.md) -3. [Disallow new capabilities](DisallowNewCapabilities.md) -4. [Disallow kernel parameter changes](DisallowSysctls.md) -5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowBindMounts.md) -6. [Disallow docker socket bind mount](DisallowDockerSockMount.md) -7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md) -8. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md) -9. [Disallow use of default namespace](DisallowDefaultNamespace.md) -10. [Disallow latest image tag](DisallowLatestTag.md) -11. [Disallow Helm Tiller](DisallowHelmTiller.md) -12. [Require read-only root filesystem](RequireReadOnlyRootFS.md) -13. [Require pod resource requests and limits](RequirePodRequestsLimits.md) -14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) -15. [Add default network policy](AddDefaultNetworkPolicy.md) -16. [Add namespace quotas](AddNamespaceQuotas.md) -17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md) +1. [Disallow privileged containers](DisallowPrivilegedContainers.md) +1. [Disallow new capabilities](DisallowNewCapabilities.md) +1. [Disallow kernel parameter changes](DisallowSysctls.md) +1. [Disallow use of bind mounts (`hostPath` volumes)](DisallowBindMounts.md) +1. [Disallow docker socket bind mount](DisallowDockerSockMount.md) +1. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md) +1. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md) +1. [Disallow use of default namespace](DisallowDefaultNamespace.md) +1. [Disallow latest image tag](DisallowLatestTag.md) +1. [Disallow Helm Tiller](DisallowHelmTiller.md) +1. [Require read-only root filesystem](RequireReadOnlyRootFS.md) +1. [Require pod resource requests and limits](RequirePodRequestsLimits.md) +1. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) +1. [Add default network policy](AddDefaultNetworkPolicy.md) +1. [Add namespace quotas](AddNamespaceQuotas.md) +1. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md) ## Additional Policies These policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments. -17. [Restrict image registries](RestrictImageRegistries.md) -18. [Restrict `NodePort` services](RestrictNodePort.md) -19. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md) -20. [Restrict ingress classes](RestrictIngressClasses.md) -21. [Restrict User Group](CheckUserGroup.md) +1. [Restrict image registries](RestrictImageRegistries.md) +1. [Restrict `NodePort` services](RestrictNodePort.md) +1. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md) +1. [Restrict ingress classes](RestrictIngressClasses.md) +1. [Restrict User Group](CheckUserGroup.md) +1. [Require pods are labeled](RequireLabels.md) +1. [Require pods have certain labels](RequireCertainLabels.md) ## Applying the sample policies