mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-29 02:45:06 +00:00
Code Activity

Fix Helm charts (#1828)

Browse source 
* Fix Helm charts to render  correctly

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Make Helm chart policies consistent

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
This commit is contained in:
treydock 2021-04-20 16:08:30 -04:00 committed by GitHub
parent 56183cc73d
commit b5fd23588a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 26 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
charts/kyverno/templates/clusterrole.yaml
View file

@ -194,4 +194,4 @@ rules:
- reportchangerequests
- clusterreportchangerequests
verbs:
- "*"
- "*"

6
charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "disallow-add-capabilities" -}}
{{- $name := "disallow-add-capabilities" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -8,7 +8,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
Capabilities permit privileged actions without giving full root access.
Adding capabilities beyond the default set must not be allowed.
@ -36,4 +36,4 @@ spec:
- =(securityContext):
=(capabilities):
X(add): null
{{- end -}}
{{- end -}}

4
charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "disallow-host-namespaces" -}}
{{- $name := "disallow-host-namespaces" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -8,7 +8,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
network namespace) allow access to shared information and can be used to elevate

4
charts/kyverno/templates/policies/default/disallow-host-path.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "disallow-host-path" -}}
{{- $name := "disallow-host-path" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -8,7 +8,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
HostPath volumes let pods use host directories and volumes in containers.
Using host resources can be used to access shared data or escalate privileges

2
charts/kyverno/templates/policies/default/disallow-host-ports.yaml
View file

@ -8,7 +8,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
Access to host ports allows potential snooping of network traffic and should not be
allowed, or at minimum restricted to a known list.

2
charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
View file

@ -8,7 +8,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
Privileged mode disables most security mechanisms and must not be allowed.
spec:

2
charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
View file

@ -8,7 +8,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
The default /proc masks are set up to reduce attack surface and should be required.
spec:

2
charts/kyverno/templates/policies/default/disallow-selinux.yaml
View file

@ -9,7 +9,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
SELinux options can be used to escalate privileges and should not be allowed.
spec:

4
charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "restrict-apparmor-profiles" -}}
{{- $name := "restrict-apparmor-profiles" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -9,7 +9,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
The default policy should prevent overriding or disabling the policy, or restrict

4
charts/kyverno/templates/policies/default/restrict-sysctls.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "restrict-sysctls" -}}
{{- $name := "restrict-sysctls" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -8,7 +8,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
Sysctls can disable security mechanisms or affect all containers on a
host, and should be disallowed except for an allowed "safe" subset. A

4
charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "deny-privilege-escalation" -}}
{{- $name := "deny-privilege-escalation" }}
{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -8,7 +8,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
spec:

4
charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "require-non-root-groups" -}}
{{- $name := "require-non-root-groups" }}
{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -8,7 +8,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
Containers should be forbidden from running with a root primary or supplementary GID.
spec:

4
charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "require-run-as-non-root" -}}
{{- $name := "require-run-as-non-root" }}
{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -8,7 +8,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: Containers must be required to run as non-root users.
spec:
background: true

4
charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "restrict-seccomp" -}}
{{- $name := "restrict-seccomp" }}
{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -9,7 +9,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
The runtime default seccomp profile must be required, or only specific
additional profiles should be allowed.

4
charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "restrict-volume-types" -}}
{{- $name := "restrict-volume-types" }}
{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -8,7 +8,7 @@ metadata:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end -}}
{{- end }}
policies.kyverno.io/description: >-
In addition to restricting HostPath volumes, the restricted pod security profile
limits usage of non-core volume types to those defined through PersistentVolumes.