mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-10 01:46:55 +00:00
Code Activity
kyverno/examples/best_practices/README.md
shivkumar dudhani 59c1e83466 upate readme links and remove duplicate policies
2019-09-08 10:41:07 -07:00

21 lines
3.1 KiB
Markdown
Raw Blame History

# Best Practice Policies
| Best practice | Policy
|------------------------------------------------|-----------------------------------------------------------------------|
| Run as non-root user | [policy_validate_deny_runasrootuser.yaml](policy_validate_deny_runasrootuser.yaml) |
| Disallow privileged and privilege escalation | [policy_validate_container_disallow_priviledgedprivelegesecalation.yaml](policy_validate_container_disallow_priviledgedprivelegesecalation.yaml) |
| Disallow use of host networking and ports | [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml) |
| Disallow use of host filesystem | [policy_validate_host_path.yaml](policy_validate_host_path.yaml) |
| Disallow hostPOD and hostIPC | |
| Require read only root filesystem | |
| Disallow node ports | |
| Allow trusted registries | [policy_validate_image_registries.yaml](policy_validate_image_registries.yaml) |
| Require resource requests and limits | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml) |
| Require pod liveness and readiness probes | [policy_validate_pod_probes.yaml](policy_validate_pod_probes.yaml) |
| Require an image tag | [policy_validate_image_tag_notspecified_deny.yaml](policy_validate_image_tag_notspecified_deny.yaml) |
| Disallow latest tag and pull IfNotPresent | [policy_validate_image_latest_ifnotpresent_deny.yaml](policy_validate_image_latest_ifnotpresent_deny.yaml) |
| Require a namespace (disallow default) | |
| Disallow use of kube-system namespace | |
| Prevent mounting of service account secret | |
| Require a default network policy | |
| Require namespace quotas and limit ranges | |
View git blame Copy permalink