From ad8b1bf71959e6ebd40da9ea45f60dbfe3d69daa Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Tue, 3 Sep 2019 11:27:04 -0700 Subject: [PATCH] start best practice policies --- examples/best_practices/README.md | 23 +++++++++ .../resources/nginx-deployment.yaml | 19 +++++++ .../validate_container_security_context.yaml | 49 +++++++++++++++++++ .../validate_default_namespace.yaml | 19 +++++++ .../validate_host_network_port.yaml | 22 +++++++++ .../best_practices/validate_host_path.yaml | 39 +++++++++++++++ .../validate_image_registries.yaml | 19 +++++++ .../best_practices/validate_image_tag.yaml | 34 +++++++++++++ .../best_practices/validate_pod_probes.yaml | 25 ++++++++++ .../validate_pod_resources.yaml | 25 ++++++++++ .../fs/testdata/copy-test-with-symlink/a/b/3 | 2 +- 11 files changed, 275 insertions(+), 1 deletion(-) create mode 100644 examples/best_practices/README.md create mode 100644 examples/best_practices/resources/nginx-deployment.yaml create mode 100644 examples/best_practices/validate_container_security_context.yaml create mode 100644 examples/best_practices/validate_default_namespace.yaml create mode 100644 examples/best_practices/validate_host_network_port.yaml create mode 100644 examples/best_practices/validate_host_path.yaml create mode 100644 examples/best_practices/validate_image_registries.yaml create mode 100644 examples/best_practices/validate_image_tag.yaml create mode 100644 examples/best_practices/validate_pod_probes.yaml create mode 100644 examples/best_practices/validate_pod_resources.yaml diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md new file mode 100644 index 0000000000..3b995078d3 --- /dev/null +++ b/examples/best_practices/README.md @@ -0,0 +1,23 @@ +# Best Practice Policies + +This folder contains recommended policies + +| Best practice | Policy +|------------------------------------------------|-----------------------------------------------------------------------|- +| Run as non-root user | +| Disallow privileged and privilege escalation | +| Disallow use of host networking and ports | +| Disallow use of host filesystem | +| Disallow hostPOD and hostIPC | +| Require read only root filesystem | +| Disallow node ports | +| Allow trusted registries | +| Require resource requests and limits | [container_resources.yaml](container_resources.yaml) +| Require pod liveness and readiness probes | +| Require an image tag | +| Disallow latest tag and pull IfNotPresent | +| Require a namespace (disallow default) | +| Disallow use of kube-system namespace | +| Prevent mounting of service account secret | +| Require a default network policy | +| Require namespace quotas and limit ranges | diff --git a/examples/best_practices/resources/nginx-deployment.yaml b/examples/best_practices/resources/nginx-deployment.yaml new file mode 100644 index 0000000000..de9a9a08b9 --- /dev/null +++ b/examples/best_practices/resources/nginx-deployment.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + labels: + app: "nirmata-nginx" +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:latest diff --git a/examples/best_practices/validate_container_security_context.yaml b/examples/best_practices/validate_container_security_context.yaml new file mode 100644 index 0000000000..acf28cf7af --- /dev/null +++ b/examples/best_practices/validate_container_security_context.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1alpha1 +kind: Policy +metadata: + name: check-container-security-context +spec: + validationFailureAction: "audit" + rules: + - name: check-root-user + exclude: + namespace: kube-system + match: + resources: + kinds: + - Pod + validate: + message: "Root user is not allowed. Set runAsNonRoot to true." + # See https://github.com/nirmata/kyverno/issues/285 + # anyPattern: + # - spec: + # securityContext: + # runAsNonRoot: true + pattern: + spec: + containers: + - name: "*" + securityContext: + runAsNonRoot: true + - name: check-privilege + exclude: + namespace: kube-system + match: + resources: + kinds: + - Pod + validate: + message: "Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false" + # See https://github.com/nirmata/kyverno/issues/285 + # anyPattern: + # - spec: + # securityContext: + # allowPrivilegeEscalation: false + # privileged: false + pattern: + spec: + containers: + - name: "*" + securityContext: + allowPrivilegeEscalation: false + privileged: false diff --git a/examples/best_practices/validate_default_namespace.yaml b/examples/best_practices/validate_default_namespace.yaml new file mode 100644 index 0000000000..55a38b7301 --- /dev/null +++ b/examples/best_practices/validate_default_namespace.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1alpha1 +kind: Policy +metadata: + name: validate-namespace +spec: + validationFailureAction: "audit" + rules: + - name: check-default-namespace + match: + resources: + kinds: + - Pod + validate: + message: "A namespace is required" + anyPattern: + - metadata: + namespace: "?*" + - metadata: + namespace: "!default" diff --git a/examples/best_practices/validate_host_network_port.yaml b/examples/best_practices/validate_host_network_port.yaml new file mode 100644 index 0000000000..0de83370f8 --- /dev/null +++ b/examples/best_practices/validate_host_network_port.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1alpha1 +kind: Policy +metadata: + name: validate-host-network-port +spec: + validationFailureAction: "audit" + rules: + - name: validate-host-network-port + match: + resources: + kinds: + - Pod + validate: + message: "Host network and port are not allowed" + pattern: + spec: + hostNetwork: false + containers: + - name: "*" # is name necessary?? + ports: + hostPort: null + diff --git a/examples/best_practices/validate_host_path.yaml b/examples/best_practices/validate_host_path.yaml new file mode 100644 index 0000000000..8f9ebec8b9 --- /dev/null +++ b/examples/best_practices/validate_host_path.yaml @@ -0,0 +1,39 @@ +# apiVersion : kyverno.io/v1alpha1 +# kind: Policy +# metadata: +# name: validate-host-dirs +# spec: +# rules: +# - name: validate-host-path +# match: +# resources: +# kinds: +# - Pod +# validate: +# message: "Host path is not allowed" +# pattern: +# spec: +# volumes: +# - (name): "*" +# hostPath: +# path: "" + +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: validate-host-path +spec: + rules: + - name: validate-host-path + match: + resources: + kinds: + - Pod + validate: + message: "Host path '/var/lib/' is not allowed" + pattern: + spec: + volumes: + - (name): "*" + +(hostPath): + path: "!/var/lib/*" diff --git a/examples/best_practices/validate_image_registries.yaml b/examples/best_practices/validate_image_registries.yaml new file mode 100644 index 0000000000..3624e29632 --- /dev/null +++ b/examples/best_practices/validate_image_registries.yaml @@ -0,0 +1,19 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: validate-image-registry +spec: + rules: + - name: validate-image-registry + match: + resources: + kinds: + - Pod + validate: + message: "Image registry is not allowed" + pattern: + spec: + containers: + - name: "*" + # Check allowed registries + image: "*nirmata* | https://private.registry.io/*" diff --git a/examples/best_practices/validate_image_tag.yaml b/examples/best_practices/validate_image_tag.yaml new file mode 100644 index 0000000000..80f39e09fc --- /dev/null +++ b/examples/best_practices/validate_image_tag.yaml @@ -0,0 +1,34 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + annotations: + kyverno.io/category: images + kyverno.io/description: | + ...... + name: validate-image +spec: + rules: + - name: validate-tag + match: + resources: + kinds: + - Pod + validate: + message: "An image tag is required" + pattern: + spec: + containers: + - image: "*:*" + - name: validate-latest + match: + resources: + kinds: + - Pod + validate: + message: "imagePullPolicy 'Always' required with tag 'latest'" + pattern: + spec: + containers: + - (image): "*latest" + imagePullPolicy: Always + diff --git a/examples/best_practices/validate_pod_probes.yaml b/examples/best_practices/validate_pod_probes.yaml new file mode 100644 index 0000000000..10ea7db464 --- /dev/null +++ b/examples/best_practices/validate_pod_probes.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1alpha1 +kind: Policy +metadata: + name: validate-probes +spec: + validationFailureAction: "audit" + rules: + - name: check-probes + match: + resources: + kinds: + - Pod + # exclude: + # namespaces: + # - kube-system + validate: + message: "Liveness and readiness probes are required" + pattern: + spec: + containers: + livenessProbe: + periodSeconds: ">0" + readinessProbe: + periodSeconds: ">0" + diff --git a/examples/best_practices/validate_pod_resources.yaml b/examples/best_practices/validate_pod_resources.yaml new file mode 100644 index 0000000000..7344917d01 --- /dev/null +++ b/examples/best_practices/validate_pod_resources.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1alpha1 +kind: Policy +metadata: + name: check-resources +spec: + validationFailureAction: "audit" + rules: + - name: check-pod-resources + match: + resources: + kinds: + - Pod + validate: + message: "CPU and memory resource requests and limits are required" + pattern: + spec: + containers: + - name: "*" + resources: + requests: + memory: "?*" + cpu: "?*" + limits: + memory: "?*" + cpu: "?*" diff --git a/vendor/gotest.tools/fs/testdata/copy-test-with-symlink/a/b/3 b/vendor/gotest.tools/fs/testdata/copy-test-with-symlink/a/b/3 index 934fb97feb..9846291630 120000 --- a/vendor/gotest.tools/fs/testdata/copy-test-with-symlink/a/b/3 +++ b/vendor/gotest.tools/fs/testdata/copy-test-with-symlink/a/b/3 @@ -1 +1 @@ -/some/inexistent/link \ No newline at end of file +C:/some/inexistent/link \ No newline at end of file