mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples
History
Chip Zoller c52f07b615
new samples; updates (#1259) 
* new samples; updates

* typos

* add policy to restrict LoadBalancer

* correct sample numbering

* fix typos
2020-11-16 13:39:59 -08:00
..
best_practices new samples; updates (#1259) 2020-11-16 13:39:59 -08:00
more new samples; updates (#1259) 2020-11-16 13:39:59 -08:00
AddDefaultNetworkPolicy.md fix snippet in MD 2020-11-12 09:50:12 -05:00
AddNamespaceQuotas.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
AddSafeToEvict.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
CheckUserGroup.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
CreatePodAntiAffinity.md new samples; updates (#1259) 2020-11-16 13:39:59 -08:00
DisallowBindMounts.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
DisallowDefaultNamespace.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
DisallowDockerSockMount.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
DisallowHelmTiller.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
DisallowHostNetworkPort.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
DisallowHostPIDIPC.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
DisallowLatestTag.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
DisallowNewCapabilities.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
DisallowPrivilegedContainers.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
DisallowRootUser.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
DisallowSysctls.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
README.md new samples; updates (#1259) 2020-11-16 13:39:59 -08:00
RequireCertainLabels.md new samples; updates (#1259) 2020-11-16 13:39:59 -08:00
RequireDeploymentsHaveReplicas.md add sample policy for deployments 2020-11-12 12:31:03 -05:00
RequireLabels.md new samples; updates (#1259) 2020-11-16 13:39:59 -08:00
RequirePodProbes.md new samples; updates (#1259) 2020-11-16 13:39:59 -08:00
RequirePodRequestsLimits.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
RequireReadOnlyRootFS.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
RestrictAutomountSAToken.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
RestrictImageRegistries.md new samples; updates (#1259) 2020-11-16 13:39:59 -08:00
RestrictIngressClasses.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
RestrictLoadBalancer.md new samples; updates (#1259) 2020-11-16 13:39:59 -08:00
RestrictNodePort.md manifest fixes; typos; linting 2020-11-11 13:07:01 -05:00
SpreadPodsAcrossTopology.md new samples; updates (#1259) 2020-11-16 13:39:59 -08:00

README.md

Sample Policies

Sample policies are designed to be applied to your Kubernetes clusters with minimal changes.

The policies are mostly validation rules in audit mode i.e. your existing workloads will not be impacted, but will be audited for policy compliance.

Best Practice Policies

These policies are highly recommended.

  1. Disallow root user
  2. Disallow privileged containers
  3. Disallow new capabilities
  4. Disallow kernel parameter changes
  5. Disallow use of bind mounts (hostPath volumes)
  6. Disallow docker socket bind mount
  7. Disallow hostNetwork and hostPort
  8. Disallow hostPID and hostIPC
  9. Disallow use of default namespace
  10. Disallow latest image tag
  11. Disallow Helm Tiller
  12. Require read-only root filesystem
  13. Require pod resource requests and limits
  14. Require pod livenessProbe and readinessProbe
  15. Add default network policy
  16. Add namespace quotas
  17. Add safe-to-evict for pods with emptyDir and hostPath volumes

Additional Policies

These policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments.

  1. Restrict image registries
  2. Restrict NodePort services
  3. Restrict LoadBalancer services
  4. Restrict auto-mount of service account credentials
  5. Restrict ingress classes
  6. Restrict User Group
  7. Require pods are labeled
  8. Require pods have certain labels
  9. Require Deployments have multiple replicas
  10. Spread Pods across topology
  11. Create Pod Anti-Affinity

Applying the sample policies

To apply these policies to your cluster, install Kyverno and import the policies as follows:

Install Kyverno

kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml

(installation docs)

Apply Kyverno Policies

To start applying policies to your cluster, first clone the repo:

git clone https://github.com/kyverno/kyverno.git
cd kyverno

Import best practices from here:

kubectl create -f samples/best_practices

Import additional policies from here:

kubectl create -f samples/more/