mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples
History
Jim Bugwadia f31abbffab update disallow_latest_tag
2019-11-10 17:54:38 -08:00
..
best_practices update disallow_latest_tag 2019-11-10 17:54:38 -08:00
more update the policy 2019-10-31 13:29:16 -07:00
AddSafeToEvict.md update disallow_root_user 2019-11-08 19:25:43 -08:00
AssignLinuxCapabilities.md reorganize samples 2019-10-23 14:45:27 -07:00
CheckUserGroup.md reorganize samples 2019-10-23 14:45:27 -07:00
ConfigureKernelParmeters.md reorganize samples 2019-10-23 14:45:27 -07:00
DefaultDenyAllIngress.md update descriptions... 2019-10-23 15:36:37 -07:00
DisallowAutomountSACredentials.md reorganize samples 2019-10-23 14:45:27 -07:00
DisallowBindMounts.md update DisallowBindMounts 2019-11-09 16:33:19 -08:00
DisallowDefaultNamespace.md update disallow_default_namespace and disallow_host_network_port and disallow_host_pid_ipc 2019-11-10 15:50:18 -08:00
DisallowDockerSockMount.md update README.md and markdown 2019-11-01 15:23:42 -07:00
DisallowHelmTiller.md add disallow Helm tiller 2019-11-03 18:19:06 -08:00
DisallowHostNetworkPort.md update disallow_docker_sock_mount and disallow_host_network_port 2019-11-10 12:53:48 -08:00
DisallowHostPIDIPC.md update disallow_latest_tag 2019-11-10 17:54:38 -08:00
DisallowLatestTag.md update disallow_latest_tag 2019-11-10 17:54:38 -08:00
DisallowNewCapabilities.md update disallow new capabilities 2019-11-09 16:07:16 -08:00
DisallowPrivilegedContainers.md update disallow_priviledged 2019-11-08 20:04:42 -08:00
DisallowRootUser.md update disallow_root_user 2019-11-08 19:25:43 -08:00
DisallowUnknownRegistries.md - add policy and test for known ingress 2019-11-05 19:07:44 -08:00
KnownIngressClass.md - add policy and test for known ingress 2019-11-05 19:07:44 -08:00
LimitNodePort.md reorganize samples 2019-10-23 14:45:27 -07:00
README.md update disallow_default_namespace and disallow_host_network_port and disallow_host_pid_ipc 2019-11-10 15:50:18 -08:00
RequireNSLimitsQuotas.md update policy 2019-10-24 18:41:37 -05:00
RequirePodProbes.md update descriptions... 2019-10-23 15:36:37 -07:00
RequirePodRequestsLimits.md update descriptions... 2019-10-23 15:36:37 -07:00
RequireReadOnlyRootFS.md update RequireReadOnlyRootFS 2019-11-09 16:18:33 -08:00

README.md

Sample Policies

Sample policies are designed to be applied to your Kubernetes clusters with minimal changes. To apply these policies to your cluster, install Kyverno and import the policies as follows:

Install Kyverno

kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml

(installation docs)

Apply Kyverno Policies

To start applying policies to your cluster, first clone the repo:

git clone https://github.com/nirmata/kyverno.git
cd kyverno

Import best_practices from here:

kubectl create -f samples/best_practices

Import addition policies from here:

kubectl create -f samples/more/

The policies are mostly validation rules in audit mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.

Best Practice Policies

These policies are highly recommended.

  1. Disallow root user
  2. Disallow privileged containers
  3. Disallow new capabilities
  4. Require read-only root filesystem
  5. Disallow use of bind mounts (hostPath volumes)
  6. Disallow docker socket bind mount
  7. Disallow hostNetwork and hostPort
  8. Disallow hostPID and hostIPC
  9. Disallow use of default namespace
  10. Disallow latest image tag
  11. Disallow Helm Tiller
  12. Restrict image registries
  13. Require namespace limits and quotas
  14. Require pod resource requests and limits
  15. Require pod livenessProbe and readinessProbe
  16. Default deny all ingress traffic
  17. Add safe-to-evict for pods with emptyDir and hostPath volumes

Additional Policies

The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes.

  1. Limit use of NodePort services
  2. Limit automount of Service Account credentials
  3. Configure Linux Capabilities
  4. Limit Kernel parameter access
  5. Restrict ingress classes