mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
3308 commits 15 branches 540 tags 276 MiB
Commit graph

188 commits

Author SHA1 Message Date
Jim Bugwadia
3ffb0cfa39 add disallow_sysctl and move policies 2019-11-11 17:17:09 -08:00
Jim Bugwadia
05503e4fd1 update other policies 2019-11-11 14:09:07 -08:00
Jim Bugwadia
dd4d091c23 update restrict_automount_sa_token 2019-11-10 21:57:20 -08:00
Jim Bugwadia
5b2fd96131 update LimitNodePort 2019-11-10 21:34:22 -08:00
Jim Bugwadia
5e8b6c4183 update add_networkPolicy 2019-11-10 21:27:50 -08:00
Jim Bugwadia
244909ebb3 update require_probes 2019-11-10 21:18:17 -08:00
Jim Bugwadia
c1be682a93 update require_pod_requests_limits 2019-11-10 21:06:49 -08:00
Jim Bugwadia
f668113904 update add_ns_quota 2019-11-10 20:58:57 -08:00
Jim Bugwadia
a6d5fb6e30 update restrict_image_registries 2019-11-10 18:13:01 -08:00
Jim Bugwadia
f31abbffab update disallow_latest_tag 2019-11-10 17:54:38 -08:00
Jim Bugwadia
7f54e8e2e3 Merge branch '451_fix_disallow_host_net_port' into 452_make_sample_policy_rule_names_consistent 
# Conflicts:
#	samples/best_practices/disallow_host_network_hostport.yaml
#	test/scenarios/samples/best_practices/disallow_host_network_port.yaml
 2019-11-10 17:35:43 -08:00
Jim Bugwadia
20736e5e81 update disallow_default_namespace and disallow_host_network_port and disallow_host_pid_ipc 2019-11-10 15:50:18 -08:00
Jim Bugwadia
170e2a5179 update disallow_docker_sock_mount and disallow_host_network_port 2019-11-10 12:53:48 -08:00
Jim Bugwadia
fd1a26db29 update DisallowBindMounts 2019-11-09 16:33:19 -08:00
Jim Bugwadia
fae8ac0325 update RequireReadOnlyRootFS 2019-11-09 16:18:33 -08:00
Jim Bugwadia
121b81a83b update disallow new capabilities 2019-11-09 16:07:16 -08:00
Jim Bugwadia
cba79c69a2 update disallow_priviledged 2019-11-08 20:04:42 -08:00
Jim Bugwadia
5ce8fd7a9a update disallow_root_user 2019-11-08 19:25:43 -08:00
Jim Bugwadia
6baa678e27 rename add_safe_to_evict 2019-11-08 19:02:49 -08:00
Jim Bugwadia
a0d3f728da fix disallow_host_network_hostport policy 2019-11-08 18:26:58 -08:00
Jim Bugwadia
ab2e671df5 update test scenario and change rule to audit mode 2019-11-07 19:28:48 -08:00
Jim Bugwadia
4aac8f43a9 fix test 2019-11-07 19:19:33 -08:00
Shuting Zhao
ec331b8d17 remove resource info in the validation error 2019-11-07 12:30:58 -08:00
Shuting Zhao
59fb1c90cd fix test 2019-11-07 12:13:35 -08:00
Shuting Zhao
a30b8a604d update format 2019-11-07 12:13:35 -08:00
Shuting Zhao
443619757e update tests/scenario 2019-11-07 12:13:35 -08:00
Shuting Zhao
58054ef5b6 remove duplicate test 2019-11-07 12:13:34 -08:00
Shuting Zhao
de9ebd899b improve validation error message; update scenario files 2019-11-07 12:13:34 -08:00
Jim Bugwadia
1173e062c9 - add policy and test for known ingress 
- fix messages and remove unnecessary comments in testrunner/scenario.go
 2019-11-05 19:07:44 -08:00
Shuting Zhao
9f7b6eaaf6 skip applying mutate rule if condition key is not present in the resource, consider the rule as success 2019-11-05 16:27:06 -08:00
Jim Bugwadia
cab87f24ba add tect case 2019-11-05 15:32:45 -08:00
Shuting Zhao
664a85363a correct scenario test 2019-11-05 12:59:22 -08:00
Jim Bugwadia
5ded29f74e temp update for debugging 2019-11-05 12:28:44 -08:00
Shuting Zhao
489e55d6c3 add best_practices scenario_mutate_safe-to-evict 2019-11-05 10:16:07 -08:00
Jim Bugwadia
35bed4bc6a add safe-to-evict annotation 2019-11-04 17:55:13 -08:00
Jim Bugwadia
8543654423
Merge pull request #439 from nirmata/412_no_helm_tiller 
add disallow Helm tiller
 2019-11-04 11:27:55 -08:00
Jim Bugwadia
41afefbe8e add disallow Helm tiller 2019-11-03 18:19:06 -08:00
shivkumar dudhani
8eacc00ae5 add period to message in scenario 2019-11-01 15:46:22 -07:00
Jim Bugwadia
3b1143c934
Merge pull request #436 from nirmata/411_no_docker_sock_mount 
411 no docker sock mount
 2019-11-01 15:38:40 -07:00
shivkumar dudhani
417c59508d update message string 2019-11-01 15:24:31 -07:00
shivkumar dudhani
a191bd67f4 update message string 2019-11-01 15:21:23 -07:00
Jim Bugwadia
1323a9a81e add policy and test case 2019-11-01 15:19:26 -07:00
Jim Bugwadia
8ddd9f036f
Merge branch 'master' into 410_no_new_capabilities 2019-11-01 14:53:56 -07:00
Jim Bugwadia
4fbc57bfed update policy and test case 2019-11-01 14:37:17 -07:00
Jim Bugwadia
97425392fe update pod name 2019-11-01 11:56:17 -07:00
Jim Bugwadia
440c23f231 add test case (currently fails) 2019-11-01 11:40:23 -07:00
Shuting Zhao
40c9824781 fix test 2019-10-30 12:58:14 -07:00
shivkumar dudhani
1cd9bd748c update scenario 2019-10-24 19:23:17 -05:00
shivkumar dudhani
e6920b79ea remove old policies 2019-10-14 14:58:44 -07:00
shivkumar dudhani
a4a0a27472 clean up 2019-10-14 14:37:03 -07:00
shivkumar dudhani
4e5f551fa7 clean up 2019-10-14 14:10:34 -07:00
shivkumar dudhani
17895e9718 cleanUp 2019-10-14 12:48:24 -07:00
shivkumar dudhani
21d174a2bf merge changes 2019-10-14 12:46:44 -07:00
Jim Bugwadia
053a92ba51 fix paths 2019-10-14 12:42:31 -07:00
shivkumar dudhani
530ac6962c initial clean up 2019-10-14 12:36:19 -07:00
shivkumar dudhani
4abdec337d documentation updates 2019-10-14 10:47:54 -07:00
Shuting Zhao
eb8bd71ac2 add test scenario - missing image tag 2019-10-10 19:13:04 -07:00
Shuting Zhao
38bf4d6055 add 'deny-use-of-host-fs' 2019-10-10 18:42:54 -07:00
Shuting Zhao
300665b22b Merge branch 'best_practice_policies' of https://github.com/nirmata/kyverno into best_practice_policies 2019-10-10 12:30:14 -07:00
Shuting Zhao
24f3b8ac96 disallow automountServiceAccountToken 2019-10-10 12:29:48 -07:00
shivkumar dudhani
dbc35eb8f4 enable disabled tests 2019-10-10 12:22:07 -07:00
Shuting Zhao
f1ed0720c4 update default network policy to deny all ingress traffic 2019-10-10 11:08:20 -07:00
Shuting Zhao
7fcc6bbd33 require default namespace resource quota 2019-10-10 10:46:11 -07:00
Shuting Zhao
3087257b46 disallow use of default namespace 2019-10-10 10:34:49 -07:00
Shuting Zhao
012360ae3a allow trusted registries 2019-10-10 10:29:10 -07:00
shivkumar dudhani
0f7de18476 examples cleanup: move policies 2019-10-09 21:06:49 -07:00
Shuting Zhao
48c2c39da7 add samples/best_practices/require_default_network_policy.yaml 2019-10-09 18:52:48 -07:00
Shuting Zhao
3b2561dddb file name mistyped 2019-10-09 18:49:38 -07:00
Shuting Zhao
4d29b461ff add require_image_tag_not_latest.yaml 2019-10-09 18:35:07 -07:00
Shuting Zhao
3e1ef320a8 add require_probes.yaml 2019-10-09 17:49:00 -07:00
Shuting Zhao
ea25ed8460 add check-pod-request-limit.yaml 2019-10-09 17:37:31 -07:00
Shuting Zhao
381210e977 add disallow_node_port.yaml 2019-10-08 22:13:34 -07:00
Shuting Zhao
18c190447f update require-readonly-rootfilesystem.yaml 2019-10-08 22:09:58 -07:00
Shuting Zhao
cb44585d70 add disallow_readonly_rootfilesystem.yaml 2019-10-08 22:05:15 -07:00
Shuting Zhao
c755df6b70 add scenario_validate_disallow_hostpid_hostipc.yaml 2019-10-08 21:58:05 -07:00
Shuting Zhao
ce41e4a99d add disallow_host_network_hostport.yaml 2019-10-08 21:51:35 -07:00
Shuting Zhao
0c0a9a69a6 add disallow_priviledged_privelegesecalation.yaml 2019-10-08 21:42:49 -07:00
Shuting Zhao
8f8bd05106 add samples/best_practices/deny_runasrootuser.yaml 2019-10-08 21:30:19 -07:00
Shuting Zhao
cac41d9fda using anyPattern for allowed image registries 2019-10-07 14:34:32 -07:00
Shuting Zhao
87d9cdd9dd best practice: volume white list 2019-10-07 12:46:34 -07:00
Shuting Zhao
16a851cd8b update sysctl 2019-10-07 11:35:04 -07:00
Shuting Zhao
c80f9e0f9d best_practice: sysctl 2019-10-07 11:21:14 -07:00
Shuting Zhao
2243e9e2e7 best practice: validate container capability 2019-10-04 18:15:39 -07:00
Shuting Zhao
0c09ba53eb best-practice: validate default proc mount 2019-10-04 17:48:57 -07:00
Shuting Zhao
1bd8663e4c add selinux best practice 2019-10-04 17:28:42 -07:00
Shuting Zhao
04c147eb77 add security context "fsgroup" 2019-10-04 16:50:23 -07:00
Shuting Zhao
23c9212d67 fix hostpid/hostipc test runner 2019-10-01 14:53:58 -07:00
Shuting Zhao
5009e8abb7 change anypattern to pattern, refer #357 2019-10-01 14:45:16 -07:00
Shuting Zhao
d279d7fd77 update testrunner 2019-09-18 12:33:25 -07:00
Shuting Zhao
da3d48f020 update test scenario for non-root user 2019-09-17 18:51:16 -07:00
Shuting Zhao
658fb84e91 update best_practice Disallow privileged and privilege escalation 2019-09-17 18:42:08 -07:00
Shuting Zhao
f4eee4b30a update best-practice run as non-root uesr 2019-09-17 18:36:24 -07:00
Shuting Zhao
5e0415911a add best-practice: policy_validate_disallow_default_serviceaccount 2019-09-16 14:16:54 -07:00
shivkumar dudhani
44af35d6e4 support wild cards for namespaces in rule resource description 2019-09-12 17:11:55 -07:00
Shuting Zhao
e6a5b1ceb8 add namespace_quota testrunner 2019-09-10 12:27:21 -07:00
Shuting Zhao
2e22c21164 add policy_validate_disallow_node_port.yaml 2019-09-10 11:57:33 -07:00
Shuting Zhao
3237f3d799 add policy_validate_not_readonly_rootfilesystem.yaml 2019-09-09 18:13:38 -07:00
Shuting Zhao
3eeba1a32b add policy_validate_hostPID_hosIPC.yaml 2019-09-09 17:34:25 -07:00
Shuting Zhao
d0fd3e69ef update testrunner, unit test for validate_host_network_port 2019-09-09 16:08:15 -07:00
Shuting Zhao
0fe5a065dd add validate_hostpath testrunner 2019-09-09 15:06:54 -07:00