mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples
History
Shivkumar Dudhani 3cf9141f4d
593 feature (#594) 
* initial commit

* background policy validation

* correct message

* skip non-background policy process for add/update

* add Generate Request CR

* generate Request Generator Initial

* test generate request CR generation

* initial commit gr generator

* generate controller initial framework

* add crd for generate request

* gr cleanup controller initial commit

* cleanup controller initial

* generate mid-commit

* generate rule processing

* create PV on generate error

* embed resource type

* testing phase 1- generate resources with variable substitution

* fix tests

* comment broken test #586

* add printer column for state

* return if existing resource for clone

* set resync time to 2 mins & remove resource version check in update handler for gr

* generate events for reporting

* fix logs

* initial commit

* fix trailing quote in patch

* remove comments

* initial condition (equal & notequal)

* initial support for conditions

* initial support fo conditions in generate

* support precondition checks

* cleanup

* re-evaluate GR on namespace update using dynamic informers

* add status for generated resources

* display loaded variable SA

* support delete cleanup of generate request main resources

* fix log

* remove namespace from SA username

* support multiple variables per statement for scalar values

* fix fail variables

* add check for userInfo

* validation checks for conditions

* update policy

* refactor logs

* code review

* add openapispec for clusterpolicy preconditions

* Update documentation

* CR fixes

* documentation

* CR fixes

* update variable

* fix logs

* update policy

* pre-defined variables (serviceAccountName & serviceAccountNamespace)

* update test
2020-01-07 15:13:57 -08:00
..
best_practices 593 feature (#594) 2020-01-07 15:13:57 -08:00
more update documentation 2019-12-10 09:51:15 -08:00
AddDefaultNetworkPolicy.md 593 feature (#594) 2020-01-07 15:13:57 -08:00
AddNamespaceQuotas.md 593 feature (#594) 2020-01-07 15:13:57 -08:00
AddSafeToEvict.md update documentation 2019-12-10 09:51:15 -08:00
CheckUserGroup.md update documentation 2019-12-10 09:51:15 -08:00
DisallowBindMounts.md Merge pull request #584 from nirmata/371_omitempty 2020-01-02 11:17:31 -08:00
DisallowDefaultNamespace.md update api in samples/ 2019-11-13 13:56:20 -08:00
DisallowDockerSockMount.md update documentation 2019-12-10 09:51:15 -08:00
DisallowHelmTiller.md update api in samples/ 2019-11-13 13:56:20 -08:00
DisallowHostNetworkPort.md update documentation 2019-12-10 09:51:15 -08:00
DisallowHostPIDIPC.md update api in samples/ 2019-11-13 13:56:20 -08:00
DisallowLatestTag.md update documentation 2019-12-10 09:51:15 -08:00
DisallowNewCapabilities.md update api in samples/ 2019-11-13 13:56:20 -08:00
DisallowPrivilegedContainers.md update markdown 2019-12-30 16:45:22 -08:00
DisallowRootUser.md update markdown 2019-12-30 16:45:22 -08:00
DisallowSysctls.md update api in samples/ 2019-11-13 13:56:20 -08:00
README.md update documentation 2019-12-10 09:51:15 -08:00
RequirePodProbes.md update api in samples/ 2019-11-13 13:56:20 -08:00
RequirePodRequestsLimits.md update documentation 2019-12-10 09:51:15 -08:00
RequireReadOnlyRootFS.md update api in samples/ 2019-11-13 13:56:20 -08:00
RestrictAutomountSAToken.md update documentation 2019-12-10 09:51:15 -08:00
RestrictImageRegistries.md update api in samples/ 2019-11-13 13:56:20 -08:00
RestrictIngressClasses.md update api in samples/ 2019-11-13 13:56:20 -08:00
RestrictNodePort.md update documentation 2019-12-10 09:51:15 -08:00

README.md

Sample Policies

Sample policies are designed to be applied to your Kubernetes clusters with minimal changes.

The policies are mostly validation rules in audit mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.

Best Practice Policies

These policies are highly recommended.

  1. Disallow root user
  2. Disallow privileged containers
  3. Disallow new capabilities
  4. Disallow kernel parameter changes
  5. Disallow use of bind mounts (hostPath volumes)
  6. Disallow docker socket bind mount
  7. Disallow hostNetwork and hostPort
  8. Disallow hostPID and hostIPC
  9. Disallow use of default namespace
  10. Disallow latest image tag
  11. Disallow Helm Tiller
  12. Require read-only root filesystem
  13. Require pod resource requests and limits
  14. Require pod livenessProbe and readinessProbe
  15. Add default network policy
  16. Add namespace quotas
  17. Add safe-to-evict for pods with emptyDir and hostPath volumes

Additional Policies

These policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments.

  1. Restrict image registries
  2. Restrict NodePort services
  3. Restrict auto-mount of service account credentials
  4. Restrict ingress classes
  5. Restrict User Group

Applying the sample policies

To apply these policies to your cluster, install Kyverno and import the policies as follows:

Install Kyverno

kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml

(installation docs)

Apply Kyverno Policies

To start applying policies to your cluster, first clone the repo:

git clone https://github.com/nirmata/kyverno.git
cd kyverno

Import best_practices from here:

kubectl create -f samples/best_practices

Import addition policies from here:

kubectl create -f samples/more/