Adding default policies for restricted mode and adding notes to helm install (#1556)

* Adding default policies for restricted mode, taking validationFailureAction from values.yaml and adding notes on helm install Signed-off-by: Raj Das <mail.rajdas@gmail.com> * Adding emoji Signed-off-by: Raj Das <mail.rajdas@gmail.com> * Update NOTES.txt * minor fix Signed-off-by: Raj Das <mail.rajdas@gmail.com> * adding to readme Signed-off-by: Raj Das <mail.rajdas@gmail.com>
2025-03-29 02:45:06 +00:00 · 2021-02-10 03:33:52 +05:30 · 2021-02-10 03:33:52 +05:30 · b04626a5f8
commit b04626a5f8
parent b46be39744
17 changed files with 35 additions and 23 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -102,6 +102,7 @@ Parameter | Description | Default
 `tolerations` | list of node taints to tolerate | `[]`
 `securityContext` | security context configuration | `{}`
 `podSecurityStandard` | set desired pod security level `privileged`, `default`, `restricted`. Set to `restricted` for maximum security for your cluster. See:  https://kyverno.io/policies/pod-security/ | `default`
+`validationFailureAction` | set to get response in failed validation check. Supported values- `audit`, `enforce`. See:  https://kyverno.io/docs/writing-policies/validate/ | `audit`

 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

--- a/charts/kyverno/templates/NOTES.txt
+++ b/charts/kyverno/templates/NOTES.txt
@ -0,0 +1,8 @@
+Thank you for installing {{ .Chart.Name }} 😀
+
+Your release is named {{ .Release.Name }}.
+
+We have installed the "default" profile of Pod Security Standards and set them in audit mode.
+
+Visit https://kyverno.io/policies/ to find more sample policies.
+
--- a/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.podSecurityStandard "default" }}
+{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@ -9,7 +9,7 @@ metadata:
      Capabilities permit privileged actions without giving full root access.
      Adding capabilities beyond the default set must not be allowed.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
  rules:
  - name: capabilities
--- a/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.podSecurityStandard "default" }}
+{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@ -10,7 +10,7 @@ metadata:
      network namespace) allow access to shared information and can be used to elevate
      privileges. Pods should not be allowed access to host namespaces.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
  rules:
  - name: host-namespaces
--- a/charts/kyverno/templates/policies/default/disallow-host-path.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-host-path.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.podSecurityStandard "default" }}
+{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@ -10,7 +10,7 @@ metadata:
      Using host resources can be used to access shared data or escalate privileges
      and should not be allowed.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
  rules:
  - name: host-path
--- a/charts/kyverno/templates/policies/default/disallow-host-ports.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-host-ports.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.podSecurityStandard "default" }}
+{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@ -9,7 +9,7 @@ metadata:
      Access to host ports allows potential snooping of network traffic and should not be
      allowed, or at minimum restricted to a known list.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
  rules:
  - name: host-ports
--- a/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.podSecurityStandard "default" }}
+{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@ -8,7 +8,7 @@ metadata:
    policies.kyverno.io/description: >-
      Privileged mode disables most security mechanisms and must not be allowed.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
  rules:
  - name: priviledged-containers
--- a/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.podSecurityStandard "default" }}
+{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@ -8,7 +8,7 @@ metadata:
    policies.kyverno.io/description: >-
      The default /proc masks are set up to reduce attack surface and should be required.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
  rules:
  - name: check-proc-mount
--- a/charts/kyverno/templates/policies/default/disallow-selinux.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-selinux.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.podSecurityStandard "default" }}
+{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@ -9,7 +9,7 @@ metadata:
    policies.kyverno.io/description: >-
      SELinux options can be used to escalate privileges and should not be allowed.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
  rules:
  - name: seLinux
--- a/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
+++ b/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.podSecurityStandard "default" }}
+{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@ -11,7 +11,7 @@ metadata:
      The default policy should prevent overriding or disabling the policy, or restrict 
      overrides to an allowed set of profiles.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
  rules:
  - name: app-armor
--- a/charts/kyverno/templates/policies/default/restrict-sysctls.yaml
+++ b/charts/kyverno/templates/policies/default/restrict-sysctls.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.podSecurityStandard "default" }}
+{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@ -11,7 +11,7 @@ metadata:
      sysctl is considered safe if it is namespaced in the container or the
      Pod, and it is isolated from other Pods or processes on the same Node.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
  rules:
  - name: sysctls
--- a/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml
+++ b/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml
@ -9,7 +9,7 @@ metadata:
      Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
 spec:
  background: true
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  rules:
  - name: deny-privilege-escalation
    match:
--- a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
+++ b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
@ -9,7 +9,7 @@ metadata:
      Containers should be forbidden from running with a root primary or supplementary GID.
 spec:
  background: true
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  rules:
    - name: check-runasgroup
      match:
--- a/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml
+++ b/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml
@ -8,7 +8,7 @@ metadata:
    policies.kyverno.io/description: Containers must be required to run as non-root users.
 spec:
  background: true
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  rules:
  - name: check-containers
    match:
--- a/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml
+++ b/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml
@ -11,7 +11,7 @@ metadata:
      additional profiles should be allowed.
 spec:
  background: true
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  rules:
  - name: seccomp
    match:
--- a/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml
+++ b/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml
@ -10,7 +10,7 @@ metadata:
      limits usage of non-core volume types to those defined through PersistentVolumes.
 spec:
  background: true
-  validationFailureAction: audit
+  validationFailureAction: {{ .Values.validationFailureAction }}
  rules:
  - name: restricted-vol-gcePersistentDisk
    match:
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -4,6 +4,9 @@ namespace:
 # Supported- default/restricted/privileged
 # For more info- https://kyverno.io/policies/pod-security
 podSecurityStandard: default
+# Supported values- `audit`, `enforce`
+# For more info- https://kyverno.io/docs/writing-policies/validate/
+validationFailureAction: audit

 rbac:
  create: true