mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

new samples around image practices (#1302)

Browse source
This commit is contained in:
Chip Zoller 2020-11-25 14:48:21 -05:00 committed by GitHub
parent d8062eb98b
commit f5d48721e6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 108 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
samples/README.md
View file

@ -2,7 +2,7 @@
Sample policies are designed to be applied to your Kubernetes clusters with minimal changes. Sample policies are designed to be applied to your Kubernetes clusters with minimal changes.
The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy compliance. The policies are mostly validation rules in `audit` mode (i.e. your existing workloads will not be impacted, but will be audited for policy compliance). It is recommended that all policies be tested and observed in a non-production environment before setting `enforce` mode.
## Best Practice Policies ## Best Practice Policies
@ -45,6 +45,13 @@ These policies provide additional best practices and are worthy of close conside
1. [Disallow mounting Secrets as environment variables](DisallowSecretsFromEnvVars.md) 1. [Disallow mounting Secrets as environment variables](DisallowSecretsFromEnvVars.md)
1. [Add default labels](AddDefaultLabels.md) 1. [Add default labels](AddDefaultLabels.md)
## Miscellaneous Policies
Policies in this group are either highly-specific, involve third-party CRDs, or may be variations on standard Best Practice or Additional policies.
1. [Require `imagePullPolicy` of `Always` for images not using `latest` tags](RequireImagePullPolicyAlways.md)
1. [Require images using `latest` tag not use `imagePullPolicy` of `Always`](RequireLatestImagesNotUseAlways.md)
## Applying the sample policies ## Applying the sample policies
To apply these policies to your cluster, install Kyverno and import the policies as follows: To apply these policies to your cluster, install Kyverno and import the policies as follows:

29
samples/RequireImagePullPolicyAlways.md Normal file
View file

@ -0,0 +1,29 @@
# Require `imagePullPolicy` is set to `Always` for images not using `latest` tags
By default, Kubernetes sets the `imagePullPolicy` for images which specify a tag to be `IfNotPresent`. In some cases, this may not be desired where the image could be rebuilt upstream. This sample policy ensures that all containers have their `imagePullPolicy` set to `Always`.
## Policy YAML
[imagepullpolicy-always.yaml](misc/imagepullpolicy-always.yaml)
```yaml
apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
name: imagepullpolicy-always
spec:
validationFailureAction: audit
background: false
rules:
- name: imagepullpolicy-always
match:
resources:
kinds:
- Pod
validate:
message: "The imagePullPolicy must be set to `Always` for all containers when a tag other than `latest` is used."
pattern:
spec:
containers:
- imagePullPolicy: Always
```

32
samples/RequireLatestImagesNotUseAlways.md Normal file
View file

@ -0,0 +1,32 @@
# Require images using `latest` tag set `imagePullPolicy` to not `Always`
When using the `latest` tag for images, although generally [not a best practice](DisallowLatestTag.md), Kubernetes defaults its `imagePullPolicy` to `Always`. Since Docker Hub has instituted a [rate-limiting policy](https://www.docker.com/blog/what-you-need-to-know-about-upcoming-docker-hub-rate-limiting/), this could result in reaching that limit faster than anticipated, which could mean errors for other Pods in the cluster or across the enterprise. Ensuring those `latest`-tagged images do not use the default of `Always` is one way to ensure pulls are only when needed.
This sample policy checks the `image` value and ensures that if `:latest` is defined that the `imagePullPolicy` must use something other than the value of `Always`. Note that if no tag is defined, Kyverno will not see that as a violation of the policy.
## Policy YAML
[latestimage-notalways.yaml](misc/latestimage-notalways.yaml)
```yaml
apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
name: latestimage-notalways
spec:
validationFailureAction: audit
background: false
rules:
- name: latestimage-notalways
match:
resources:
kinds:
- Pod
validate:
message: "When using the `latest` tag, the `imagePullPolicy` must not use `Always`."
pattern:
spec:
containers:
- (image): "*:latest"
imagePullPolicy: "!Always"
```

19
samples/misc/imagepullpolicy-always.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
name: imagepullpolicy-always
spec:
validationFailureAction: audit
background: false
rules:
- name: imagepullpolicy-always
match:
resources:
kinds:
- Pod
validate:
message: "The imagePullPolicy must be set to `Always` for all containers when a tag other than `latest` is used."
pattern:
spec:
containers:
- imagePullPolicy: Always

20
samples/misc/latestimage-notalways.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
name: latestimage-notalways
spec:
validationFailureAction: audit
background: false
rules:
- name: latestimage-notalways
match:
resources:
kinds:
- Pod
validate:
message: "When using the `latest` tag, the `imagePullPolicy` must not use `Always`."
pattern:
spec:
containers:
- (image): "*:latest"
imagePullPolicy: "!Always"