mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
2.5 KiB
2.5 KiB
Sample Policies
Sample policies are designed to be applied to your Kubernetes clusters with minimal changes. To apply these policies to your cluster, install Kyverno and import the policies as follows:
Install Kyverno
kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
Apply Kyverno Policies
To start applying policies to your cluster, first clone the repo:
git clone https://github.com/nirmata/kyverno.git
cd kyverno
Import best_practices from here:
kubectl create -f samples/best_practices
Import addition policies from here:
kubectl create -f samples/more/
The policies are mostly validation rules in audit
mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.
Best Practice Policies
These policies are highly recommended.
- Disallow root user
- Disallow privileged containers
- Disallow new capabilities
- Require read-only root filesystem
- Disallow use of bind mounts (
hostPath
volumes) - Disallow docker socket bind mount
- Disallow
hostNetwork
andhostPort
- Disallow
hostPID
andhostIPC
- Disallow use of default namespace
- Disallow latest image tag
- Disallow Helm Tiller
- Restrict image registries
- Require namespace limits and quotas
- Require pod resource requests and limits
- Require pod
livenessProbe
andreadinessProbe
- Default deny all ingress traffic
- Add
safe-to-evict
for pods withemptyDir
andhostPath
volumes
Additional Policies
The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes.