diff --git a/platform/kyverno/policies/kustomization.yaml b/platform/kyverno/policies/kustomization.yaml index c869356..e6819f3 100644 --- a/platform/kyverno/policies/kustomization.yaml +++ b/platform/kyverno/policies/kustomization.yaml @@ -7,3 +7,4 @@ resources: - disallow-latest-tag.yaml - kyverno-cilium-rbac.yaml - generate-ns-network-baseline.yaml + - require-requests-limits.yaml diff --git a/platform/kyverno/policies/require-requests-limits.yaml b/platform/kyverno/policies/require-requests-limits.yaml new file mode 100644 index 0000000..1dd188c --- /dev/null +++ b/platform/kyverno/policies/require-requests-limits.yaml @@ -0,0 +1,48 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-requests-limits + annotations: + argocd.argoproj.io/sync-wave: "0" + policies.kyverno.io/title: Enforce Resource Requests and Limits + policies.kyverno.io/description: >- + Guarantees cluster stability by requiring all application containers + to explicitly declare CPU and Memory requests and limits. +spec: + validationFailureAction: Enforce + background: true + rules: + - name: validate-resources + match: + any: + - resources: + kinds: + - Pod + exclude: + any: + - resources: + namespaces: + - default + - kube-system + - kube-public + - kube-node-lease + - argocd + - kyverno + - cilium-ingress + - cilium-secrets + - cert-manager + - sealed-secrets + - nfs-subdir-external-provisioner + validate: + message: "Resource discipline violation: Containers must declare cpu/memory requests and limits." + pattern: + spec: + containers: + - name: "*" + resources: + requests: + cpu: "?*" # Must not be empty + memory: "?*" # Must not be empty + limits: + cpu: "?*" # Must not be empty + memory: "?*" # Must not be empty diff --git a/platform/tetragon/policies/block-tmp-execution.yaml b/platform/tetragon/policies/block-tmp-execution.yaml new file mode 100644 index 0000000..5eb7812 --- /dev/null +++ b/platform/tetragon/policies/block-tmp-execution.yaml @@ -0,0 +1,37 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: block-tmp-execution + namespace: kube-system +spec: + podSelector: + matchExpressions: + - key: "io.kubernetes.pod.namespace" + operator: "NotIn" + values: + - kube-system + - kube-public + - kube-node-lease + - argocd + - kyverno + - cilium-ingress + - cilium-secrets + - cert-manager + - sealed-secrets + - nfs-subdir-external-provisioner + kprobes: + - call: "sys_execve" + syscall: true + args: + - index: 0 + type: "string" + selectors: + - matchArgs: + - index: 0 + operator: "Prefix" + values: + - "/tmp/" + - "/var/tmp/" + - "/dev/shm/" + matchActions: + - action: Sigkill diff --git a/platform/tetragon/policies/example.yaml b/platform/tetragon/policies/example.yaml deleted file mode 100644 index 11b47b3..0000000 --- a/platform/tetragon/policies/example.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cilium.io/v1alpha1 -kind: TracingPolicy -metadata: - name: "fd-install" -spec: - kprobes: - - call: "fd_install" - syscall: false - args: - - index: 0 - type: "int" - - index: 1 - type: "file" - selectors: - - matchArgs: - - index: 1 - operator: "Equal" - values: - - "/tmp/tetragon" - matchActions: - - action: Sigkill diff --git a/platform/tetragon/policies/kustomization.yaml b/platform/tetragon/policies/kustomization.yaml index 95c85d3..b672498 100644 --- a/platform/tetragon/policies/kustomization.yaml +++ b/platform/tetragon/policies/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - example.yaml + - block-tmp-execution.yaml