update restrict_image_registries

2024-12-14 11:57:48 +00:00 · 2019-11-10 18:13:01 -08:00 · 2019-11-10 18:13:01 -08:00 · a6d5fb6e30
commit a6d5fb6e30
parent f31abbffab
15 changed files with 13 additions and 61 deletions
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@ -92,8 +92,8 @@ func Test_validate_volume_whitelist(t *testing.T) {
 	testScenario(t, "test/scenarios/other/scenario_validate_volume_whiltelist.yaml")
 }

-func Test_validate_trusted_image_registries(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml")
+func Test_validate_restrict_image_registries(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/restrict_image_registries.yaml")
 }

 func Test_require_pod_requests_limits(t *testing.T) {
--- a/samples/AddSafeToEvict.md
+++ b/samples/AddSafeToEvict.md
@ -17,11 +17,6 @@ apiVersion: "kyverno.io/v1alpha1"
 kind: "ClusterPolicy"
 metadata: 
  name: "add-safe-to-evict"
-  annotations:
-    policies.kyverno.io/category: AutoScaling
-    policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict pods that 
-      use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation 
-      cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods. 
 spec: 
  rules: 
  - name: "annotate-empty-dir"
--- a/samples/DisallowBindMounts.md
+++ b/samples/DisallowBindMounts.md
@ -11,10 +11,6 @@ apiVersion: "kyverno.io/v1alpha1"
 kind: "ClusterPolicy"
 metadata: 
  name: "disallow-bind-mounts"
-  annotations:
-    policies.kyverno.io/category: Data Protection
-    policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind mounts (i.e. directories and volumes mounted to a host path) in containers. Using host resources can be used to access shared data or escalate priviliges. Also, this couples pods to a specific host and data persisted in the `hostPath` volume is coupled to the life of the node leading to potential pod scheduling failures. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes).
-
 spec: 
  rules: 
  - name: "validate-hostPath"
--- a/samples/DisallowDockerSockMount.md
+++ b/samples/DisallowDockerSockMount.md
@ -13,11 +13,6 @@ apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
  name: disallow-docker-sock-mount
-  annotations:
-    policies.kyverno.io/category: Security
-    policies.kyverno.io/description: The Docker socket bind mount allows access to the 
-      Docker daemon on the node. This access can be used for privilege escalation and 
-      to manage containers outside of Kubernetes, and hence should not be allowed.  
 spec:
  rules:
  - name: validate-docker-sock-mount
--- a/samples/DisallowHelmTiller.md
+++ b/samples/DisallowHelmTiller.md
@ -9,9 +9,6 @@ apiVersion : kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
  name: disallow-helm-tiller
-  annotations:
-    policies.kyverno.io/category: Security
-    policies.kyverno.io/description: 
 spec:
  rules:
  - name: validate-helm-tiller
--- a/samples/DisallowHostPIDIPC.md
+++ b/samples/DisallowHostPIDIPC.md
@ -13,9 +13,6 @@ apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
  name: disallow-host-pid-ipc
-  annotations:
-    policies.kyverno.io/category: Security
-    policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process on the host, potentially exposing process information. Sharing the host's IPC namespace allows the container process to communicate with processes on the host. To avoid pod container from having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
 spec:
  validationFailureAction: audit
  rules:
--- a/samples/DisallowLatestTag.md
+++ b/samples/DisallowLatestTag.md
@ -12,11 +12,6 @@ apiVersion : kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
  name: disallow-latest-tag
-  annotations:
-    policies.kyverno.io/category: Image
-    policies.kyverno.io/description: The ':latest' tag is mutable and can lead to 
-      unexpected errors if the image changes. A best practice is to use an immutable 
-      tag that maps to a specific version of an application pod.
 spec:
  rules:
  - name: require-tag
--- a/samples/DisallowNewCapabilities.md
+++ b/samples/DisallowNewCapabilities.md
@ -15,13 +15,6 @@ apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
  name: disallow-new-capabilities
-  annotations:
-    policies.kyverno.io/category: Security
-    policies.kyverno.io/description: Linux allows defining fine-grained permissions using
-      capabilities. With Kubernetes, it is possible to add capabilities that escalate the
-      level of kernel access and allow other potentially dangerous behaviors. This policy 
-      enforces that pods cannot add new capabilities. Other policies can be used to set 
-      default capabilities. 
 spec:
  rules:
  - name: validate-add-capabilities
--- a/samples/DisallowRootUser.md
+++ b/samples/DisallowRootUser.md
@ -16,11 +16,6 @@ kind: ClusterPolicy
 metadata:
  name: disallow-root-user
  annotations:
-    policies.kyverno.io/category: Security
-    policies.kyverno.io/description: By default, processes in a container run as a 
-      root user (uid 0). To prevent potential compromise of container hosts, specify a 
-      least privileged user ID when building the container image and require that 
-      application containers run as non root users.
 spec:
  rules:
  - name: validate-runAsNonRoot
--- a/samples/KnownIngressClass.md
+++ b/samples/KnownIngressClass.md
@ -13,9 +13,6 @@ apiVersion : kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
  name: known-ingress
-  annotations:
-    policies.kyverno.io/category: Ingress
-    policies.kyverno.io/description: 
 spec:
  rules:
  - name: known-ingress
--- a/samples/README.md
+++ b/samples/README.md
@ -47,7 +47,7 @@ These policies are highly recommended.
 9. [Disallow use of default namespace](DisallowDefaultNamespace.md)
 10. [Disallow latest image tag](DisallowLatestTag.md)
 11. [Disallow Helm Tiller](DisallowHelmTiller.md)
-12. [Restrict image registries](DisallowUnknownRegistries.md)
+12. [Restrict image registries](RestrictImageRegistries.md)
 13. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)
 14. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
 15. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
--- a/samples/RequireReadOnlyRootFS.md
+++ b/samples/RequireReadOnlyRootFS.md
@ -12,12 +12,6 @@ apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
  name: require-ro-rootfs
-  annotations:
-    policies.kyverno.io/category: Security Context
-    policies.kyverno.io/description: A read-only root file system helps to enforce an immutable 
-      infrastructure strategy; the container only needs to write on the mounted volume that p
-      ersists the state. An immutable root filesystem can also prevent malicious binaries from 
-      writing to the host system.
 spec:
  rules:
  - name: validate-readOnlyRootFilesystem
--- a/samples/DisallowUnknownRegistries.md
+++ b/samples/DisallowUnknownRegistries.md
@ -6,16 +6,16 @@ You can customize this policy to allow image registries that you trust.

 ## Policy YAML 

-[trusted_image_registries.yaml](best_practices/trusted_image_registries.yaml) 
+[restrict_image_registries.yaml](best_practices/restrict_image_registries.yaml) 

 ````yaml
 apiVersion : kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: trusted-registries
+  name: restrict-image-registries
 spec:
  rules:
-  - name: trusted-registries
+  - name: validate-registries
    match:
      resources:
        kinds:
--- a/samples/best_practices/restrict_image_registries.yaml
+++ b/samples/best_practices/restrict_image_registries.yaml
@ -1,21 +1,20 @@
 apiVersion : kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: trusted-registries
+  name: restrict-image-registries
  annotations:
    policies.kyverno.io/category: Image
    policies.kyverno.io/description: Images from unknown registries may not be scanned and secured. 
-      Requiring use of known registries helps reduce threat exposure. You can customize this policy 
-      to allow image registries that you trust.
+      Requiring use of known registries helps reduce threat exposure.
 spec:
  rules:
-  - name: trusted-registries
+  - name: validate-registries
    match:
      resources:
        kinds:
        - Pod
    validate:
-      message: "Deny untrusted registries"
+      message: "Unknown image registry"
      pattern:
        spec:
          containers:
--- a/test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml
+++ b/test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml
@ -1,18 +1,17 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/trusted_image_registries.yaml
+  policy: samples/best_practices/restrict_image_registries.yaml
  resource: test/resources//trusted_image_registries.yaml
 expected:
  validation:
    policyresponse:
-      policy: trusted-registries
+      policy: restrict-image-registries
      resource:
        kind: Pod
        apiVersion: v1
        namespace: ''
        name: k8s-nginx
      rules:
-        - name: trusted-registries
+        - name: validate-registries
          type: Validation
-          message: Validation rule 'trusted-registries' succeeded.
          success: true