kyverno/samples/README.md

Sample Policies

Sample policies are designed to be applied to your Kubernetes clusters with minimal changes. To apply these policies to your cluster, install Kyverno and import the policies as follows:

Install Kyverno

kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml

(installation docs)

Apply Kyverno Policies

To start applying policies to your cluster, first clone the repo:

git clone https://github.com/nirmata/kyverno.git
cd kyverno

Import best_practices from here:

kubectl create -f samples/best_practices

Import addition policies from here:

kubectl create -f samples/more/

The policies are mostly validation rules in audit mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.

Best Practice Policies

These policies are highly recommended.

1. Run as non-root user
2. Disable privileged containers and disallow privilege escalation
3. Disallow new capabilities
4. Require read-only root filesystem
5. Disallow use of bind mounts (hostPath volumes)
6. Disallow docker socket bind mount
7. Disallow hostNetwork and hostPort
8. Disallow hostPID and hostIPC
9. Disallow unknown image registries
10. Disallow latest image tag
11. Disallow use of default namespace
12. Require namespace limits and quotas
13. Require pod resource requests and limits
14. Require pod livenessProbe and readinessProbe
15. Default deny all ingress traffic
16. Disallow Helm Tiller
17. Add safe-to-evict for pods with emptyDir and hostPath volumes

Additional Policies

The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes.

18. Limit use of NodePort services
19. Limit automount of Service Account credentials
20. Configure Linux Capabilities
21. Limit Kernel parameter access
22. Restrict ingress class