mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-04-08 10:04:25 +00:00
Code Activity

Merge pull request #366 from nirmata/best_practice_policies

Browse source 
Add best practice policies
This commit is contained in:
Shivkumar Dudhani 2019-10-08 15:51:19 -07:00 committed by GitHub
commit d973e84084
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
23 changed files with 406 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
examples/best_practices/README.md
View file

@ -9,7 +9,7 @@
| Disallow hostPID and hostIPC | [policy_validate_hostpid_hosipc.yaml](policy_validate_hostpid_hosipc.yaml) |
| Require read only root filesystem | [policy_validate_not_readonly_rootfilesystem.yaml](policy_validate_not_readonly_rootfilesystem.yaml) |
| Disallow node ports | [policy_validate_disallow_node_port.yaml](policy_validate_disallow_node_port.yaml) |
| Allow trusted registries | [policy_validate_image_registries.yaml](policy_validate_image_registries.yaml) |
| Allow trusted registries | [policy_validate_whitelist_image_registries.yaml](policy_validate_whitelist_image_registries.yaml) |
| Require resource requests and limits | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml) |
| Require pod liveness and readiness probes | [policy_validate_pod_probes.yaml](policy_validate_pod_probes.yaml) |
| Require an image tag | [policy_validate_image_tag_notspecified_deny.yaml](policy_validate_image_tag_notspecified_deny.yaml) |
@ -19,3 +19,9 @@
| Prevent mounting of default service account | [policy_validate_disallow_default_serviceaccount.yaml](policy_validate_disallow_default_serviceaccount.yaml) |
| Require a default network policy | [policy_validate_default_network_policy.yaml](policy_validate_default_network_policy.yaml) |
| Require namespace quotas and limit ranges | [policy_validate_namespace_quota.yaml](policy_validate_namespace_quota.yaml) |
| Allow an FSGroup that owns the pod's volumes | [policy_validate_fsgroup.yaml](policy_validate_fsgroup.yaml) |
| Require SELinux level of the container | [policy_validate_selinux_context.yaml](policy_validate_selinux_context.yaml) |
| Allow default Proc Mount type | [policy_validate_default_proc_mount.yaml](policy_validate_default_proc_mount.yaml) |
| Allow certain capability to be added | [policy_validate_container_capabilities.yaml](policy_validate_container_capabilities.yaml) |
| Allow local tcp/udp port range | [policy_validate_sysctl_configs.yaml](policy_validate_sysctl_configs.yaml) |
| Allowed volume plugins | [policy_validate_volume_whitelist.yaml](policy_validate_volume_whitelist.yaml) |

20
examples/best_practices/policy_validate_container_capabilities.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-container-capablities
spec:
validationFailureAction: "audit"
rules:
- name: validate-container-capablities
match:
resources:
kinds:
- Pod
validate:
message: "Allow certain capability to be added"
pattern:
spec:
containers:
- securityContext:
capabilities:
add: ["NET_ADMIN"]

19
examples/best_practices/policy_validate_default_proc_mount.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-default-proc-mount
spec:
validationFailureAction: "audit"
rules:
- name: validate-default-proc-mount
match:
resources:
kinds:
- Pod
validate:
message: "Default proc mount should set to Unmasked"
pattern:
spec:
containers:
- securityContext:
procMount: Unmasked

22
examples/best_practices/policy_validate_fsgroup.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-fsgroup
spec:
validationFailureAction: "audit"
rules:
- name: validate-fsgroup
exclude:
resources:
namespaces:
- kube-system
match:
resources:
kinds:
- Pod
validate:
message: "directory should have group ID 2000"
pattern:
spec:
securityContext:
fsGroup: 2000

20
examples/best_practices/policy_validate_selinux_context.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-selinux-options
spec:
validationFailureAction: "audit"
rules:
- name: validate-selinux-options
match:
resources:
kinds:
- Pod
validate:
message: "SELinux level is required"
pattern:
spec:
containers:
- securityContext:
seLinuxOptions:
level: "*"

20
examples/best_practices/policy_validate_sysctl_configs.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-allow-portrange-with-sysctl
spec:
validationFailureAction: "audit"
rules:
- name: allow-portrange-with-sysctl
match:
resources:
kinds:
- Pod
validate:
message: "Allowed port range is from 1024 to 65535"
pattern:
spec:
securityContext:
sysctls:
- name: net.ipv4.ip_local_port_range
value: "1024 65535"

28
examples/best_practices/policy_validate_volume_whitelist.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-volumes-whitelist
spec:
validationFailureAction: "audit"
rules:
- name: validate-volumes-whitelist
match:
resources:
kinds:
- Pod
validate:
message: "Volumes white list"
anyPattern:
- spec:
volumes:
- hostPath: "*"
- spec:
volumes:
- emptyDir: "*"
- spec:
volumes:
- configMap: "*"

13
examples/best_practices/policy_validate_image_registries.yaml → examples/best_practices/policy_validate_whitelist_image_registries.yaml
View file

@ -10,10 +10,11 @@ spec:
kinds:
- Pod
validate:
message: "Image registry is not allowed"
pattern:
spec:
message: "White list of image registries"
anyPattern:
- spec:
containers:
- name: "*"
# Check allowed registries
image: "*nirmata* | https://private.registry.io/*"
- image: "https://private.registry.io/*"
- spec:
containers:
- image: "*nirmata*"

11
examples/best_practices/resources/resource_validate_container_capabilities.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: add-capabilities
spec:
containers:
- name: add-capabilities
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
add: ["SYS_TIME"]

12
examples/best_practices/resources/resource_validate_default_proc_mount.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-proc-mount
labels:
app: nginx-proc-mount
spec:
containers:
- name: nginx
image: nginx
securityContext:
procMount: Unmasked #Default

17
examples/best_practices/resources/resource_validate_fsgroup.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-demo
spec:
securityContext:
fsGroup: 2000 # directory will have group ID 2000
volumes:
- name: fsgroup-demo-vol
emptyDir: {}
containers:
- name: fsgroup-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: fsgroup-demo-vol
mountPath: /data/demo

21
examples/best_practices/resources/resource_validate_selinux_context.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: v1
kind: Pod
metadata:
name: busybox-selinux
namespace: default
spec:
containers:
- image: busybox-selinux
name: busybox
command:
- sleep
- "36000"
volumeMounts:
- name: storage
mountPath: /storage
securityContext:
seLinuxOptions:
level: ""
volumes:
- name: storage
emptyDir: {}

16
examples/best_practices/resources/resource_validate_sysctl_configs.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
securityContext:
sysctls:
- name: net.ipv4.ip_local_port_range
value: "50 65535"

18
examples/best_practices/resources/resource_validate_volume_whitelist.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: test-volumes
spec:
containers:
- name: container-with-configmap
image: busybox
volumeMounts:
- name: cache-vol
mountPath: /cache
volumes:
- name: cache-vol
configMap:
name: log-config
items:
- key: log_level
path: log_level

8
examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: Pod
metadata:
name: nirmata-nginx
spec:
containers:
- name: nirmata-nginx
image: nirmata/nginx

28
pkg/testrunner/testrunner_test.go
View file

@ -111,3 +111,31 @@ func Test_validate_disallow_node_port(t *testing.T) {
func Test_validate_disallow_default_serviceaccount(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_disallow_default_serviceaccount.yaml")
}
func Test_validate_fsgroup(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_fsgroup.yaml")
}
func Test_validate_selinux_context(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_selinux_context.yaml")
}
func Test_validate_proc_mount(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_default_proc_mount.yaml")
}
func Test_validate_container_capabilities(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_container_capabilities.yaml")
}
func Test_validate_disallow_sysctl(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_sysctl_configs.yaml")
}
func Test_validate_volume_whitelist(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_volume_whiltelist.yaml")
}
func Test_validate_whitelist_image_registries(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_whitelist_image_registries.yaml")
}

19
test/scenarios/test/scenario_validate_container_capabilities.yaml Normal file
View file

@ -0,0 +1,19 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_container_capabilities.yaml
resource: examples/best_practices/resources/resource_validate_container_capabilities.yaml
expected:
validation:
policyresponse:
policy: validate-container-capablities
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: add-capabilities
rules:
- name: validate-container-capablities
type: Validation
message: "Validation rule 'validate-container-capablities' failed at '/spec/containers/0/securityContext/capabilities/add/0/' for resource Pod//add-capabilities. Allow certain capability to be added"
success: false

19
test/scenarios/test/scenario_validate_default_proc_mount.yaml Normal file
View file

@ -0,0 +1,19 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_default_proc_mount.yaml
resource: examples/best_practices/resources/resource_validate_default_proc_mount.yaml
expected:
validation:
policyresponse:
policy: validate-default-proc-mount
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: nginx-proc-mount
rules:
- name: validate-default-proc-mount
type: Validation
message: "Validation rule 'validate-default-proc-mount' succesfully validated"
success: true

19
test/scenarios/test/scenario_validate_fsgroup.yaml Normal file
View file

@ -0,0 +1,19 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_fsgroup.yaml
resource: examples/best_practices/resources/resource_validate_fsgroup.yaml
expected:
validation:
policyresponse:
policy: validate-fsgroup
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: fsgroup-demo
rules:
- name: validate-fsgroup
type: Validation
message: "Validation rule 'validate-fsgroup' failed at '/spec/securityContext/fsGroup/' for resource Pod//fsgroup-demo. directory should have group ID 2000"
success: false

19
test/scenarios/test/scenario_validate_selinux_context.yaml Normal file
View file

@ -0,0 +1,19 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_selinux_context.yaml
resource: examples/best_practices/resources/resource_validate_selinux_context.yaml
expected:
validation:
policyresponse:
policy: validate-selinux-options
resource:
kind: Pod
apiVersion: v1
namespace: default
name: busybox-selinux
rules:
- name: validate-selinux-options
type: Validation
message: "Validation rule 'validate-selinux-options' failed at '/spec/containers/0/securityContext/seLinuxOptions/' for resource Pod/default/busybox-selinux. SELinux level is required"
success: false

19
test/scenarios/test/scenario_validate_sysctl_configs.yaml Normal file
View file

@ -0,0 +1,19 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_sysctl_configs.yaml
resource: examples/best_practices/resources/resource_validate_sysctl_configs.yaml
expected:
validation:
policyresponse:
policy: validate-allow-portrange-with-sysctl
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: nginx
rules:
- name: allow-portrange-with-sysctl
type: Validation
message: "Validation rule 'allow-portrange-with-sysctl' failed at '/spec/securityContext/sysctls/0/value/' for resource Pod//nginx. Allowed port range is from 1024 to 65535"
success: false

19
test/scenarios/test/scenario_validate_volume_whiltelist.yaml Normal file
View file

@ -0,0 +1,19 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_volume_whitelist.yaml
resource: examples/best_practices/resources/resource_validate_volume_whitelist.yaml
expected:
validation:
policyresponse:
policy: validate-volumes-whitelist
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: test-volumes
rules:
- name: validate-volumes-whitelist
type: Validation
message: "Validation rule 'validate-volumes-whitelist' anyPattern[2] succesfully validated"
success: true

18
test/scenarios/test/scenario_validate_whitelist_image_registries.yaml Normal file
View file

@ -0,0 +1,18 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_whitelist_image_registries.yaml
resource: examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml
expected:
validation:
policyresponse:
policy: validate-image-registry
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: nirmata-nginx
rules:
- name: validate-image-registry
type: Validation
message: Validation rule 'validate-image-registry' anyPattern[1] succesfully validated
success: true