1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
kyverno/charts/kyverno-policies
treydock 0ae671ca7a
Cherry-pick release-1.6 Helm changes (#3689)
* Support releasing kyverno and kyverno-policies chart separately (#3672)

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Add DELETE precondition back (#3657)

* Add DELETE precondition back

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Add another example and test for 'any'

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

Co-authored-by: shuting <shuting@nirmata.com>
2022-04-27 03:52:45 +00:00
..
ci Cherry-pick release-1.6 Helm changes (#3689) 2022-04-27 03:52:45 +00:00
templates Cherry-pick release-1.6 Helm changes (#3689) 2022-04-27 03:52:45 +00:00
Chart.yaml Cherry-pick release-1.6 Helm changes (#3689) 2022-04-27 03:52:45 +00:00
README.md Cherry-pick release-1.6 Helm changes (#3689) 2022-04-27 03:52:45 +00:00
README.md.gotmpl Cherry-pick release-1.6 Helm changes (#3689) 2022-04-27 03:52:45 +00:00
values.yaml Cherry-pick release-1.6 Helm changes (#3689) 2022-04-27 03:52:45 +00:00

kyverno-policies

Kubernetes Pod Security Standards implemented as Kyverno policies

Version: v2.3.4 Type: application AppVersion: v1.6.2

About

This chart contains Kyverno's implementation of the Kubernetes Pod Security Standards (PSS) as documented at https://kubernetes.io/docs/concepts/security/pod-security-standards/ and are a Helm packaged version of those found at https://github.com/kyverno/policies/tree/main/pod-security. The goal of the PSS controls is to provide a good starting point for general Kubernetes cluster operational security. These controls are broken down into two categories, Baseline and Restricted. Baseline policies implement the most basic of Pod security controls while Restricted implements more strict controls. Restricted is cumulative and encompasses those listed in Baseline.

The following policies are included in each profile.

Baseline

  • disallow-capabilities
  • disallow-host-namespaces
  • disallow-host-path
  • disallow-host-ports
  • disallow-host-process
  • disallow-privileged-containers
  • disallow-proc-mount
  • disallow-selinux
  • restrict-apparmor-profiles
  • restrict-seccomp
  • restrict-sysctls

Restricted

  • disallow-capabilities-strict
  • disallow-privilege-escalation
  • require-run-as-non-root-user
  • require-run-as-nonroot
  • restrict-seccomp-strict
  • restrict-volume-types

An additional policy "require-non-root-groups" is included in an other group as this was previously included in the official PSS controls but since removed.

For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security.

Installing the Chart

These PSS policies presently have a minimum requirement of Kyverno 1.6.0.

## Add the Kyverno Helm repository
$ helm repo add kyverno https://kyverno.github.io/kyverno/

## Install the Kyverno Policies Helm chart
$ helm install kyverno-policies --namespace kyverno kyverno/kyverno-policies

Uninstalling the Chart

To uninstall/delete the kyverno-policies chart:

$ helm delete -n kyverno kyverno-policies

The command removes all the Kubernetes components associated with the chart and deletes the release.

Values

Key Type Default Description
podSecurityStandard string "baseline" Pod Security Standard profile (baseline, restricted, privileged, custom). For more info https://kyverno.io/policies/pod-security.
podSecuritySeverity string "medium" Pod Security Standard (low, medium, high).
podSecurityPolicies list [] Policies to include when podSecurityStandard is custom.
includeOtherPolicies list [] Additional policies to include from other.
validationFailureAction string "audit" Validation failure action (audit, enforce). For more info https://kyverno.io/docs/writing-policies/validate.
validationFailureActionOverrides object {"all":[]} Define validationFailureActionOverrides for specific policies. The overrides for all will apply to all policies.
policyExclude object {} Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the policyExclude map.
policyPreconditions object {} Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the policyPreconditions map.
nameOverride string nil Name override.
customLabels object {} Additional labels.
background bool true Policies background mode

Source Code

Requirements

Kubernetes: >=1.16.0-0

Maintainers

Name Email Url
Nirmata https://kyverno.io/

Changes

v2.3.4

  • Do not evaluate foreach policies on DELETE

v2.3.3

  • Add policyPreconditions value to allow policies and rules to have preconditions added

Autogenerated from chart metadata using helm-docs v1.6.0