mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Merge pull request #1977 from RinkiyaKeDad/1818_default_to_baseline

Browse source 
replacing pod security standard from default to baseline
This commit is contained in:
Pooja Singh 2021-06-22 23:35:39 +05:30 committed by GitHub
commit c6c803511c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 15 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
charts/kyverno/README.md
View file

@ -104,7 +104,7 @@ The following table lists the configurable parameters of the kyverno chart and t
| `service.type` | type of service | `ClusterIP` |
| `tolerations` | list of node taints to tolerate | `[]` |
| `securityContext` | security context configuration | `{}` |
| `podSecurityStandard` | set desired pod security level `privileged`, `default`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `default` |
| `podSecurityStandard` | set desired pod security level `privileged`, `baseline`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `baseline` |
| `podSecuritySeverity` | set desired pod security severity `low`, `medium`, `high`. Used severity level in PolicyReportResults for the selected pod security policies. | `medium` |
| `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` |
| `validationFailureAction` | set to get response in failed validation check. Supported values- `audit`, `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` |

6
charts/kyverno/templates/_helpers.tpl
View file

@ -77,9 +77,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- end -}}
{{/* Set if a default policy is managed */}}
{{- define "kyverno.podSecurityDefault" -}}
{{- if or (eq .Values.podSecurityStandard "default") (eq .Values.podSecurityStandard "restricted") }}
{{/* Set if a baseline policy is managed */}}
{{- define "kyverno.podSecurityBaseline" -}}
{{- if or (eq .Values.podSecurityStandard "baseline") (eq .Values.podSecurityStandard "restricted") }}
{{- true }}
{{- else if and (eq .Values.podSecurityStandard "custom") (has .name .Values.podSecurityPolicies) }}
{{- true }}

2
charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
View file

@ -1,5 +1,5 @@
{{- $name := "disallow-add-capabilities" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
{{- if eq (include "kyverno.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:

2
charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
View file

@ -1,5 +1,5 @@
{{- $name := "disallow-host-namespaces" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
{{- if eq (include "kyverno.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:

2
charts/kyverno/templates/policies/default/disallow-host-path.yaml
View file

@ -1,5 +1,5 @@
{{- $name := "disallow-host-path" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
{{- if eq (include "kyverno.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:

2
charts/kyverno/templates/policies/default/disallow-host-ports.yaml
View file

@ -1,5 +1,5 @@
{{- $name := "disallow-host-ports" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
{{- if eq (include "kyverno.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:

2
charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
View file

@ -1,5 +1,5 @@
{{- $name := "disallow-privileged-containers" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
{{- if eq (include "kyverno.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:

2
charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
View file

@ -1,5 +1,5 @@
{{- $name := "require-default-proc-mount" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
{{- if eq (include "kyverno.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:

2
charts/kyverno/templates/policies/default/disallow-selinux.yaml
View file

@ -1,5 +1,5 @@
{{- $name := "disallow-selinux" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
{{- if eq (include "kyverno.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:

2
charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
View file

@ -1,5 +1,5 @@
{{- $name := "restrict-apparmor-profiles" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
{{- if eq (include "kyverno.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:

2
charts/kyverno/templates/policies/default/restrict-sysctls.yaml
View file

@ -1,5 +1,5 @@
{{- $name := "restrict-sysctls" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
{{- if eq (include "kyverno.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:

4
charts/kyverno/values.yaml
View file

@ -1,9 +1,9 @@
nameOverride:
fullnameOverride:
namespace:
# Supported- default/restricted/privileged/custom
# Supported- baseline/restricted/privileged/custom
# For more info- https://kyverno.io/policies/pod-security
podSecurityStandard: default
podSecurityStandard: baseline
# Supported- low/medium/high
podSecuritySeverity: medium
# Policies to include when podSecurityStandard is custom