mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 18:38:40 +00:00
Code Activity

feat: gen kyverno-policies helm chart docs (#3301)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
Charles-Edouard Brétéché 2022-02-25 17:22:00 +01:00 committed by GitHub
parent 378a1d6b95
commit b7f6fc81db
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 157 additions and 69 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
Makefile
View file

@ -355,3 +355,11 @@ fmt: goimports
vet:
go vet ./...
##################################
# HELM
##################################
.PHONY: gen-helm-docs
gen-helm-docs: ## Generate Helm docs
@docker run -v ${PWD}:/work -w /work jnorwood/helm-docs:v1.6.0 -s file

2
charts/kyverno-policies/Chart.yaml
View file

@ -1,4 +1,5 @@
apiVersion: v1
type: application
name: kyverno-policies
version: v2.3.0
appVersion: v1.6.0
@ -16,5 +17,4 @@ sources:
maintainers:
- name: Nirmata
url: https://kyverno.io/
engine: gotpl
kubeVersion: ">=1.16.0-0"

53
charts/kyverno-policies/README.md
View file

@ -1,4 +1,8 @@
# Kyverno Policies
# kyverno-policies
Kubernetes Pod Security Standards implemented as Kyverno policies
![Version: v2.3.0](https://img.shields.io/badge/Version-v2.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.0](https://img.shields.io/badge/AppVersion-v1.6.0-informational?style=flat-square)
## About
@ -33,7 +37,7 @@ An additional policy "require-non-root-groups" is included in an `other` group a
For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security.
## TL;DR Instructions
## Installing the Chart
These PSS policies presently have a minimum requirement of Kyverno 1.6.0.
@ -55,31 +59,34 @@ $ helm delete -n kyverno kyverno-policies
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
## Values
The following table lists the configurable parameters of the kyverno chart and their default values.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| podSecurityStandard | string | `"baseline"` | Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`). For more info https://kyverno.io/policies/pod-security. |
| podSecuritySeverity | string | `"medium"` | Pod Security Standard (`low`, `medium`, `high`). |
| podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. |
| includeOtherPolicies | list | `[]` | Additional policies to include from `other`. |
| validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
| validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
| policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
| nameOverride | string | `nil` | Name override. |
| customLabels | object | `{}` | Additional labels. |
| background | bool | `true` | Policies background mode |
| Parameter | Description | Default |
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `includeOtherPolicies` | Additional policies to include from `other` directory | `[]` |
| `podSecurityStandard` | set desired pod security level `privileged`, `baseline`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `baseline` |
| `podSecuritySeverity` | set desired pod security severity `low`, `medium`, `high`. Used severity level in PolicyReportResults for the selected pod security policies. | `medium` |
| `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` |
| `policyExclude` | Exclude resources from individual policies | `{}` |
| `validationFailureAction` | set to get response in failed validation check. Supported values are `audit` and `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` |
| `validationFailureActionOverrides` | Set validate failure action overrides to either all policies or select policies. See: https://kyverno.io/docs/writing-policies/validate/ | `{}` |
## Source Code
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
* <https://github.com/kyverno/policies>
```console
$ helm install --namespace kyverno kyverno-policies ./charts/kyverno-policies \
--set=podSecurityStandard=restricted,validationFailureAction=enforce
```
## Requirements
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
Kubernetes: `>=1.16.0-0`
```console
$ helm install --namespace kyverno kyverno-policies ./charts/kyverno-policies -f values.yaml
```
## Maintainers
> **Tip**: You can use the default [values.yaml](values.yaml)
| Name | Email | Url |
| ---- | ------ | --- |
| Nirmata | | https://kyverno.io/ |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0)

70
charts/kyverno-policies/README.md.gotmpl Normal file
View file

@ -0,0 +1,70 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.description" . }}
{{ template "chart.badgesSection" . }}
## About
This chart contains Kyverno's implementation of the Kubernetes Pod Security Standards (PSS) as documented at https://kubernetes.io/docs/concepts/security/pod-security-standards/ and are a Helm packaged version of those found at https://github.com/kyverno/policies/tree/main/pod-security. The goal of the PSS controls is to provide a good starting point for general Kubernetes cluster operational security. These controls are broken down into two categories, Baseline and Restricted. Baseline policies implement the most basic of Pod security controls while Restricted implements more strict controls. Restricted is cumulative and encompasses those listed in Baseline.
The following policies are included in each profile.
**Baseline**
* disallow-capabilities
* disallow-host-namespaces
* disallow-host-path
* disallow-host-ports
* disallow-host-process
* disallow-privileged-containers
* disallow-proc-mount
* disallow-selinux
* restrict-apparmor-profiles
* restrict-seccomp
* restrict-sysctls
**Restricted**
* disallow-capabilities-strict
* disallow-privilege-escalation
* require-run-as-non-root-user
* require-run-as-nonroot
* restrict-seccomp-strict
* restrict-volume-types
An additional policy "require-non-root-groups" is included in an `other` group as this was previously included in the official PSS controls but since removed.
For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security.
## Installing the Chart
These PSS policies presently have a minimum requirement of Kyverno 1.6.0.
```console
## Add the Kyverno Helm repository
$ helm repo add kyverno https://kyverno.github.io/kyverno/
## Install the Kyverno Policies Helm chart
$ helm install kyverno-policies --namespace kyverno kyverno/kyverno-policies
```
## Uninstalling the Chart
To uninstall/delete the `kyverno-policies` chart:
```console
$ helm delete -n kyverno kyverno-policies
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
{{ template "chart.valuesSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.maintainersSection" . }}
{{ template "helm-docs.versionFooter" . }}

93
charts/kyverno-policies/values.yaml
View file

@ -1,56 +1,59 @@
# Supported- baseline/restricted/privileged/custom
# For more info- https://kyverno.io/policies/pod-security
# -- Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`).
# For more info https://kyverno.io/policies/pod-security.
podSecurityStandard: baseline
# Supported- low/medium/high
# -- Pod Security Standard (`low`, `medium`, `high`).
podSecuritySeverity: medium
# Policies to include when podSecurityStandard is custom
# -- Policies to include when `podSecurityStandard` is `custom`.
podSecurityPolicies: []
# Additional policies to include from "other"
# Example:
# includeOtherPolicies:
# - require-non-root-groups
# -- Additional policies to include from `other`.
includeOtherPolicies: []
# Supported values- `audit`, `enforce`
# For more info- https://kyverno.io/docs/writing-policies/validate/
# - require-non-root-groups
# -- Validation failure action (`audit`, `enforce`).
# For more info https://kyverno.io/docs/writing-policies/validate.
validationFailureAction: audit
# Define validationFailureActionOverrides for specific policies.
# The overrides for 'all' will apply to all policies
# Eg:
# validationFailureActionOverrides:
# all:
# - action: audit
# namespaces:
# - ingress-nginx
# disallow-host-path:
# - action: audit
# namespaces:
# - fluent
# -- Define validationFailureActionOverrides for specific policies.
# The overrides for `all` will apply to all policies.
validationFailureActionOverrides:
all: []
# Exclude resources from individual policies
# Eg:
# policyExclude:
# disallow-host-path:
# any:
# - resources:
# kinds:
# - Pod
# namespaces:
# - fluent
#
# Policies with multiple rules can have individual rules excluded:
# policyExclude:
# adding-capabilities-strict:
# any:
# - resources:
# kinds:
# - Pod
# namespaces:
# - kube-system
policyExclude: {}
# all:
# - action: audit
# namespaces:
# - ingress-nginx
# disallow-host-path:
# - action: audit
# namespaces:
# - fluent
# -- Exclude resources from individual policies.
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map.
policyExclude: {}
# # Exclude resources from individual policies
# disallow-host-path:
# any:
# - resources:
# kinds:
# - Pod
# namespaces:
# - fluent
# # Policies with multiple rules can have individual rules excluded
# adding-capabilities-strict:
# any:
# - resources:
# kinds:
# - Pod
# namespaces:
# - kube-system
# -- Name override.
nameOverride:
# -- Additional labels
# -- Additional labels.
customLabels: {}
# Policies background mode
# -- Policies background mode
background: true