|
|
||
|---|---|---|
| .. | ||
| best_practices | ||
| misc | ||
| more | ||
| AddDefaultLabels.md | ||
| AddDefaultNetworkPolicy.md | ||
| AddNamespaceQuotas.md | ||
| AddSafeToEvict.md | ||
| CheckUserGroup.md | ||
| CreatePodAntiAffinity.md | ||
| DisallowBindMounts.md | ||
| DisallowDefaultNamespace.md | ||
| DisallowDockerSockMount.md | ||
| DisallowHelmTiller.md | ||
| DisallowHostNetworkPort.md | ||
| DisallowHostPIDIPC.md | ||
| DisallowLatestTag.md | ||
| DisallowNewCapabilities.md | ||
| DisallowPrivilegedContainers.md | ||
| DisallowRootUser.md | ||
| DisallowSecretsFromEnvVars.md | ||
| DisallowSysctls.md | ||
| EnsurePodProbesDifferent.md | ||
| README.md | ||
| RequireCertainLabels.md | ||
| RequireDeploymentsHaveReplicas.md | ||
| RequireImagePullPolicyAlways.md | ||
| RequireLabels.md | ||
| RequireLatestImagesNotUseAlways.md | ||
| RequirePodProbes.md | ||
| RequirePodRequestsLimits.md | ||
| RequirePodsDropAll.md | ||
| RequireReadOnlyRootFS.md | ||
| RestrictAutomountSAToken.md | ||
| RestrictImageRegistries.md | ||
| RestrictIngressClasses.md | ||
| RestrictLoadBalancer.md | ||
| RestrictNodePort.md | ||
| SpreadPodsAcrossTopology.md | ||
Sample Policies
Sample policies are designed to be applied to your Kubernetes clusters with minimal changes.
The policies are mostly validation rules in audit mode (i.e. your existing workloads will not be impacted, but will be audited for policy compliance). It is recommended that all policies be tested and observed in a non-production environment before setting enforce mode.
Best Practice Policies
These policies are highly recommended.
- Disallow root user
- Disallow privileged containers
- Disallow new capabilities
- Disallow kernel parameter changes
- Disallow use of bind mounts (
hostPathvolumes) - Disallow docker socket bind mount
- Disallow
hostNetworkandhostPort - Disallow
hostPIDandhostIPC - Disallow use of default namespace
- Disallow latest image tag
- Disallow Helm Tiller
- Require read-only root filesystem
- Require pod resource requests and limits
- Require pod
livenessProbeandreadinessProbe - Add default network policy
- Add namespace quotas
- Add
safe-to-evictfor pods withemptyDirandhostPathvolumes
Additional Policies
These policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments.
- Restrict image registries
- Restrict
NodePortservices - Restrict
LoadBalancerservices - Restrict auto-mount of service account credentials
- Restrict ingress classes
- Restrict User Group
- Require pods are labeled
- Require pods have certain labels
- Require Deployments have multiple replicas
- Spread Pods across topology
- Create Pod Anti-Affinity
- Ensure Pod
livenessProbeandreadinessProbeare different - Disallow mounting Secrets as environment variables
- Add default labels
- Require all Pods drop all capabilities
Miscellaneous Policies
Policies in this group are either highly-specific, involve third-party CRDs, or may be variations on standard Best Practice or Additional policies.
- Require
imagePullPolicyofAlwaysfor images not usinglatesttags - Require images using
latesttag not useimagePullPolicyofAlways
Applying the sample policies
To apply these policies to your cluster, install Kyverno and import the policies as follows:
Install Kyverno
kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml
Apply Kyverno Policies
To start applying policies to your cluster, first clone the repo:
git clone https://github.com/kyverno/kyverno.git
cd kyverno
Import best practices from here:
kubectl create -f samples/best_practices
Import additional policies from here:
kubectl create -f samples/more/