From b7f6fc81db76e1cae869354b46d57693579eb405 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 25 Feb 2022 17:22:00 +0100 Subject: [PATCH] feat: gen kyverno-policies helm chart docs (#3301) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- Makefile | 8 ++ charts/kyverno-policies/Chart.yaml | 2 +- charts/kyverno-policies/README.md | 53 ++++++++------ charts/kyverno-policies/README.md.gotmpl | 70 ++++++++++++++++++ charts/kyverno-policies/values.yaml | 93 ++++++++++++------------ 5 files changed, 157 insertions(+), 69 deletions(-) create mode 100644 charts/kyverno-policies/README.md.gotmpl diff --git a/Makefile b/Makefile index bb17de97c8..0d56163f0f 100644 --- a/Makefile +++ b/Makefile @@ -355,3 +355,11 @@ fmt: goimports vet: go vet ./... +################################## +# HELM +################################## + +.PHONY: gen-helm-docs +gen-helm-docs: ## Generate Helm docs + @docker run -v ${PWD}:/work -w /work jnorwood/helm-docs:v1.6.0 -s file + diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index 38c67f2d42..e0449986e9 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -1,4 +1,5 @@ apiVersion: v1 +type: application name: kyverno-policies version: v2.3.0 appVersion: v1.6.0 @@ -16,5 +17,4 @@ sources: maintainers: - name: Nirmata url: https://kyverno.io/ -engine: gotpl kubeVersion: ">=1.16.0-0" diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md index 0856a663f7..bbe9f7ab46 100644 --- a/charts/kyverno-policies/README.md +++ b/charts/kyverno-policies/README.md @@ -1,4 +1,8 @@ -# Kyverno Policies +# kyverno-policies + +Kubernetes Pod Security Standards implemented as Kyverno policies + +![Version: v2.3.0](https://img.shields.io/badge/Version-v2.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.0](https://img.shields.io/badge/AppVersion-v1.6.0-informational?style=flat-square) ## About @@ -33,7 +37,7 @@ An additional policy "require-non-root-groups" is included in an `other` group a For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security. -## TL;DR Instructions +## Installing the Chart These PSS policies presently have a minimum requirement of Kyverno 1.6.0. @@ -55,31 +59,34 @@ $ helm delete -n kyverno kyverno-policies The command removes all the Kubernetes components associated with the chart and deletes the release. -## Configuration +## Values -The following table lists the configurable parameters of the kyverno chart and their default values. +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| podSecurityStandard | string | `"baseline"` | Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`). For more info https://kyverno.io/policies/pod-security. | +| podSecuritySeverity | string | `"medium"` | Pod Security Standard (`low`, `medium`, `high`). | +| podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. | +| includeOtherPolicies | list | `[]` | Additional policies to include from `other`. | +| validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. | +| validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. | +| policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. | +| nameOverride | string | `nil` | Name override. | +| customLabels | object | `{}` | Additional labels. | +| background | bool | `true` | Policies background mode | -| Parameter | Description | Default | -| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `includeOtherPolicies` | Additional policies to include from `other` directory | `[]` | -| `podSecurityStandard` | set desired pod security level `privileged`, `baseline`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `baseline` | -| `podSecuritySeverity` | set desired pod security severity `low`, `medium`, `high`. Used severity level in PolicyReportResults for the selected pod security policies. | `medium` | -| `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` | -| `policyExclude` | Exclude resources from individual policies | `{}` | -| `validationFailureAction` | set to get response in failed validation check. Supported values are `audit` and `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` | -| `validationFailureActionOverrides` | Set validate failure action overrides to either all policies or select policies. See: https://kyverno.io/docs/writing-policies/validate/ | `{}` | +## Source Code -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, +* -```console -$ helm install --namespace kyverno kyverno-policies ./charts/kyverno-policies \ - --set=podSecurityStandard=restricted,validationFailureAction=enforce -``` +## Requirements -Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, +Kubernetes: `>=1.16.0-0` -```console -$ helm install --namespace kyverno kyverno-policies ./charts/kyverno-policies -f values.yaml -``` +## Maintainers -> **Tip**: You can use the default [values.yaml](values.yaml) +| Name | Email | Url | +| ---- | ------ | --- | +| Nirmata | | https://kyverno.io/ | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0) diff --git a/charts/kyverno-policies/README.md.gotmpl b/charts/kyverno-policies/README.md.gotmpl new file mode 100644 index 0000000000..d3529f1eb1 --- /dev/null +++ b/charts/kyverno-policies/README.md.gotmpl @@ -0,0 +1,70 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} +{{ template "chart.description" . }} + +{{ template "chart.badgesSection" . }} + +## About + +This chart contains Kyverno's implementation of the Kubernetes Pod Security Standards (PSS) as documented at https://kubernetes.io/docs/concepts/security/pod-security-standards/ and are a Helm packaged version of those found at https://github.com/kyverno/policies/tree/main/pod-security. The goal of the PSS controls is to provide a good starting point for general Kubernetes cluster operational security. These controls are broken down into two categories, Baseline and Restricted. Baseline policies implement the most basic of Pod security controls while Restricted implements more strict controls. Restricted is cumulative and encompasses those listed in Baseline. + +The following policies are included in each profile. + +**Baseline** + +* disallow-capabilities +* disallow-host-namespaces +* disallow-host-path +* disallow-host-ports +* disallow-host-process +* disallow-privileged-containers +* disallow-proc-mount +* disallow-selinux +* restrict-apparmor-profiles +* restrict-seccomp +* restrict-sysctls + +**Restricted** + +* disallow-capabilities-strict +* disallow-privilege-escalation +* require-run-as-non-root-user +* require-run-as-nonroot +* restrict-seccomp-strict +* restrict-volume-types + +An additional policy "require-non-root-groups" is included in an `other` group as this was previously included in the official PSS controls but since removed. + +For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security. + +## Installing the Chart + +These PSS policies presently have a minimum requirement of Kyverno 1.6.0. + +```console +## Add the Kyverno Helm repository +$ helm repo add kyverno https://kyverno.github.io/kyverno/ + +## Install the Kyverno Policies Helm chart +$ helm install kyverno-policies --namespace kyverno kyverno/kyverno-policies +``` + +## Uninstalling the Chart + +To uninstall/delete the `kyverno-policies` chart: + +```console +$ helm delete -n kyverno kyverno-policies +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +{{ template "chart.valuesSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml index 215c124e42..1f4df4d84d 100644 --- a/charts/kyverno-policies/values.yaml +++ b/charts/kyverno-policies/values.yaml @@ -1,56 +1,59 @@ -# Supported- baseline/restricted/privileged/custom -# For more info- https://kyverno.io/policies/pod-security +# -- Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`). +# For more info https://kyverno.io/policies/pod-security. podSecurityStandard: baseline -# Supported- low/medium/high + +# -- Pod Security Standard (`low`, `medium`, `high`). podSecuritySeverity: medium -# Policies to include when podSecurityStandard is custom + +# -- Policies to include when `podSecurityStandard` is `custom`. podSecurityPolicies: [] -# Additional policies to include from "other" -# Example: -# includeOtherPolicies: -# - require-non-root-groups + +# -- Additional policies to include from `other`. includeOtherPolicies: [] -# Supported values- `audit`, `enforce` -# For more info- https://kyverno.io/docs/writing-policies/validate/ +# - require-non-root-groups + +# -- Validation failure action (`audit`, `enforce`). +# For more info https://kyverno.io/docs/writing-policies/validate. validationFailureAction: audit -# Define validationFailureActionOverrides for specific policies. -# The overrides for 'all' will apply to all policies -# Eg: -# validationFailureActionOverrides: -# all: -# - action: audit -# namespaces: -# - ingress-nginx -# disallow-host-path: -# - action: audit -# namespaces: -# - fluent + +# -- Define validationFailureActionOverrides for specific policies. +# The overrides for `all` will apply to all policies. validationFailureActionOverrides: all: [] -# Exclude resources from individual policies -# Eg: -# policyExclude: -# disallow-host-path: -# any: -# - resources: -# kinds: -# - Pod -# namespaces: -# - fluent -# -# Policies with multiple rules can have individual rules excluded: -# policyExclude: -# adding-capabilities-strict: -# any: -# - resources: -# kinds: -# - Pod -# namespaces: -# - kube-system -policyExclude: {} + # all: + # - action: audit + # namespaces: + # - ingress-nginx + # disallow-host-path: + # - action: audit + # namespaces: + # - fluent +# -- Exclude resources from individual policies. +# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. +policyExclude: {} + # # Exclude resources from individual policies + # disallow-host-path: + # any: + # - resources: + # kinds: + # - Pod + # namespaces: + # - fluent + # # Policies with multiple rules can have individual rules excluded + # adding-capabilities-strict: + # any: + # - resources: + # kinds: + # - Pod + # namespaces: + # - kube-system + +# -- Name override. nameOverride: -# -- Additional labels + +# -- Additional labels. customLabels: {} -# Policies background mode + +# -- Policies background mode background: true