mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples
History
Jim Bugwadia 7164a9d29d update text
2019-10-23 14:45:27 -07:00
..
best_practices Merge commit '82647670a54ead965c8cb964f3063409d0826070' into 337_policy_description 2019-10-15 12:27:22 -07:00
more Merge commit '82647670a54ead965c8cb964f3063409d0826070' into 337_policy_description 2019-10-15 12:27:22 -07:00
AssignLinuxCapabilities.md reorganize samples 2019-10-23 14:45:27 -07:00
CheckUserGroup.md reorganize samples 2019-10-23 14:45:27 -07:00
ConfigureKernelParmeters.md reorganize samples 2019-10-23 14:45:27 -07:00
DefaultDenyAllIngress.md reorganize samples 2019-10-23 14:45:27 -07:00
DisablePrivilegedContainers.md reorganize samples 2019-10-23 14:45:27 -07:00
DisallowAutomountSACredentials.md reorganize samples 2019-10-23 14:45:27 -07:00
DisallowDefaultNamespace.md reorganize samples 2019-10-23 14:45:27 -07:00
DisallowHostFS.md reorganize samples 2019-10-23 14:45:27 -07:00
DisallowHostNetworkPort.md reorganize samples 2019-10-23 14:45:27 -07:00
DisallowHostPIDIPC.md reorganize samples 2019-10-23 14:45:27 -07:00
DisallowLatestTag.md reorganize samples 2019-10-23 14:45:27 -07:00
DisallowUnknownRegistries.md reorganize samples 2019-10-23 14:45:27 -07:00
LimitNodePort.md reorganize samples 2019-10-23 14:45:27 -07:00
README.md update text 2019-10-23 14:45:27 -07:00
RequireNSLimitsQuotas.md reorganize samples 2019-10-23 14:45:27 -07:00
RequirePodProbes.md reorganize samples 2019-10-23 14:45:27 -07:00
RequirePodRequestsLimits.md reorganize samples 2019-10-23 14:45:27 -07:00
RequireReadOnlyFS.md reorganize samples 2019-10-23 14:45:27 -07:00
RestrictNodePort.md reorganize samples 2019-10-23 14:45:27 -07:00
RunAsNonRootUser.md reorganize samples 2019-10-23 14:45:27 -07:00

README.md

Sample Policies

Sample policies are designed to be applied to your Kubernetes clusters with minimal changes. To apply these policies to your cluster, install Kyverno and import the policies as follows:

Install Kyverno

kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml

(installation docs)

Apply Kyverno Policies


kubectl create -f https://github.com/nirmata/kyverno/raw/master/samples/best_practices/

kubectl create -f https://github.com/nirmata/kyverno/raw/master/samples/more/

The policies are mostly validation rules in audit mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.

Best Practice Policies

These policies are highly recommended.

  1. Run as non-root user
  2. Disable privilege escalation
  3. Require Read-only root filesystem
  4. Disallow use of host filesystem
  5. Disallow hostNetwork and hostPort
  6. Disallow hostPID and hostIPC
  7. Disallow unknown image registries
  8. Disallow latest image tag
  9. Disallow use of default namespace
  10. Require namespace limits and quotas
  11. Require pod resource requests and limits
  12. Require pod livenessProbe and readinessProbe
  13. Default deny all ingress traffic

Additional Policies

The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes.

  1. Limit use of NodePort services
  2. Limit automount of Service Account credentials
  3. Configure Linux Capabilities
  4. Limit Kernel parameter access