mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-10 09:56:55 +00:00
Code Activity
kyverno/examples/best_practices
History
Shuting Zhao cac41d9fda using anyPattern for allowed image registries
2019-10-07 14:34:32 -07:00
..
resources using anyPattern for allowed image registries 2019-10-07 14:34:32 -07:00
policy_mutate_pod_disable_automountingapicred.yaml add policies 2019-09-06 10:03:24 -07:00
policy_validate_container_capabilities.yaml best practice: validate container capability 2019-10-04 18:15:39 -07:00
policy_validate_container_disallow_priviledgedprivelegesecalation.yaml correct spelling 2019-09-18 12:31:14 -07:00
policy_validate_default_namespace.yaml change anypattern to pattern, refer #357 2019-10-01 14:45:16 -07:00
policy_validate_default_network_policy.yaml add policy_validate_namespace_quota.yaml - add policy_validate_default_network_policy.yaml 2019-09-09 23:38:16 -07:00
policy_validate_default_proc_mount.yaml best-practice: validate default proc mount 2019-10-04 17:48:57 -07:00
policy_validate_deny_runasrootuser.yaml update best-practice run as non-root uesr 2019-09-17 18:36:24 -07:00
policy_validate_disallow_default_serviceaccount.yaml add best-practice: policy_validate_disallow_default_serviceaccount 2019-09-16 14:16:54 -07:00
policy_validate_disallow_node_port.yaml add policy_validate_disallow_node_port.yaml 2019-09-10 11:57:33 -07:00
policy_validate_fsgroup.yaml add security context "fsgroup" 2019-10-04 16:50:23 -07:00
policy_validate_host_network_port.yaml update testrunner, unit test for validate_host_network_port 2019-09-09 16:08:15 -07:00
policy_validate_host_path.yaml update equality operator 2019-10-01 13:08:34 -07:00
policy_validate_hostpid_hosipc.yaml fix hostpid/hostipc test runner 2019-10-01 14:53:58 -07:00
policy_validate_image_latest_ifnotpresent_deny.yaml update validation logic 2019-09-28 14:09:46 -07:00
policy_validate_image_pullpolicy_notalways_deny.yaml add policies 2019-09-06 10:03:24 -07:00
policy_validate_image_tag.yaml add policies 2019-09-06 10:03:24 -07:00
policy_validate_image_tag_latest_deny.yaml add policies 2019-09-06 10:03:24 -07:00
policy_validate_image_tag_notspecified_deny.yaml add policies 2019-09-06 10:03:24 -07:00
policy_validate_namespace_quota.yaml add policy_validate_namespace_quota.yaml - add policy_validate_default_network_policy.yaml 2019-09-09 23:38:16 -07:00
policy_validate_not_readonly_rootfilesystem.yaml change anypattern to pattern, refer #357 2019-10-01 14:45:16 -07:00
policy_validate_pod_probes.yaml add policies 2019-09-06 10:03:24 -07:00
policy_validate_selinux_context.yaml best-practice: validate default proc mount 2019-10-04 17:48:57 -07:00
policy_validate_sysctl_configs.yaml update sysctl 2019-10-07 11:35:04 -07:00
policy_validate_volume_whitelist.yaml remove comment pattern 2019-10-07 14:16:48 -07:00
policy_validate_whitelist_image_registries.yaml using anyPattern for allowed image registries 2019-10-07 14:34:32 -07:00
README.md using anyPattern for allowed image registries 2019-10-07 14:34:32 -07:00

README.md

Best Practice Policies

Best practice Policy
Run as non-root user policy_validate_deny_runasrootuser.yaml
Disallow privileged and privilege escalation policy_validate_container_disallow_priviledgedprivelegesecalation.yaml
Disallow use of host networking and ports policy_validate_host_network_port.yaml
Disallow use of host filesystem policy_validate_host_path.yaml
Disallow hostPID and hostIPC policy_validate_hostpid_hosipc.yaml
Require read only root filesystem policy_validate_not_readonly_rootfilesystem.yaml
Disallow node ports policy_validate_disallow_node_port.yaml
Allow trusted registries policy_validate_whitelist_image_registries.yaml
Require resource requests and limits policy_validate_pod_resources.yaml
Require pod liveness and readiness probes policy_validate_pod_probes.yaml
Require an image tag policy_validate_image_tag_notspecified_deny.yaml
Disallow latest tag and pull IfNotPresent policy_validate_image_latest_ifnotpresent_deny.yaml
Require a namespace (disallow default) policy_validate_default_namespace.yaml
Disallow use of kube-system namespace
Prevent mounting of default service account policy_validate_disallow_default_serviceaccount.yaml
Require a default network policy policy_validate_default_network_policy.yaml
Require namespace quotas and limit ranges policy_validate_namespace_quota.yaml
Allow an FSGroup that owns the pod's volumes policy_validate_fsgroup.yaml
Require SELinux level of the container policy_validate_selinux_context.yaml
Allow default Proc Mount type policy_validate_default_proc_mount.yaml
Allow certain capability to be added policy_validate_container_capabilities.yaml
Allow local tcp/udp port range policy_validate_sysctl_configs.yaml
Allowed volume plugins policy_validate_volume_whitelist.yaml