add kyverno policies

Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-05-27 19:23:54 -04:00
parent 4be877e419
commit baa0216960
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
35 changed files with 843 additions and 39 deletions

View file

@ -0,0 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- require-drop-all-capabilities.yaml
- require-no-privilege-escalation.yaml
- require-non-root.yaml
- require-readonly-root-filesystem.yaml
- require-requests-limits.yaml
- require-seccomp-runtime-default.yaml
commonLabels:
app.kubernetes.io/part-of: kyverno-policies
policy-tier: require
commonAnnotations:
argocd.argoproj.io/sync-wave: "1"

View file

@ -0,0 +1,44 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-drop-all-capabilities
annotations:
policies.kyverno.io/title: Require Dropping Linux Capabilities
policies.kyverno.io/category: Pod Security
policies.kyverno.io/severity: high
spec:
validationFailureAction: Enforce
background: true
rules:
- name: require-drop-all-capabilities
match:
any:
- resources:
kinds:
- Pod
validate:
message: "All containers must drop ALL Linux capabilities."
foreach:
- list: "request.object.spec.containers"
pattern:
securityContext:
capabilities:
drop:
- ALL
- list: "request.object.spec.initContainers"
pattern:
securityContext:
capabilities:
drop:
- ALL
- list: "request.object.spec.ephemeralContainers"
pattern:
securityContext:
capabilities:
drop:
- ALL

View file

@ -0,0 +1,43 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-no-privilege-escalation
spec:
validationFailureAction: Enforce
background: true
rules:
- name: require-no-privilege-escalation
match:
any:
- resources:
kinds:
- Pod
validate:
message: "allowPrivilegeEscalation must be false."
foreach:
- list: "request.object.spec.containers"
deny:
conditions:
any:
- key: "{{ element.securityContext.allowPrivilegeEscalation || `false` }}"
operator: Equals
value: true
- list: "request.object.spec.initContainers || []"
deny:
conditions:
any:
- key: "{{ element.securityContext.allowPrivilegeEscalation || `false` }}"
operator: Equals
value: true
- list: "request.object.spec.ephemeralContainers || []"
deny:
conditions:
any:
- key: "{{ element.securityContext.allowPrivilegeEscalation || `false` }}"
operator: Equals
value: true

View file

@ -0,0 +1,52 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-non-root
annotations:
policies.kyverno.io/title: Require Non-Root Containers
policies.kyverno.io/category: Pod Security
policies.kyverno.io/severity: high
spec:
validationFailureAction: Enforce
background: true
rules:
- name: require-pod-run-as-non-root
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Pods must set runAsNonRoot=true."
pattern:
spec:
securityContext:
runAsNonRoot: true
- name: require-container-run-as-non-root
match:
any:
- resources:
kinds:
- Pod
validate:
message: "All containers must set runAsNonRoot=true."
foreach:
- list: "request.object.spec.containers"
pattern:
securityContext:
runAsNonRoot: true
- list: "request.object.spec.initContainers"
pattern:
securityContext:
runAsNonRoot: true
- list: "request.object.spec.ephemeralContainers"
pattern:
securityContext:
runAsNonRoot: true

View file

@ -0,0 +1,38 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-readonly-root-filesystem
annotations:
policies.kyverno.io/title: Require Read-Only Root Filesystem
policies.kyverno.io/category: Pod Security
policies.kyverno.io/severity: high
spec:
validationFailureAction: Audit
background: true
rules:
- name: require-readonly-root-filesystem
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Containers must use readOnlyRootFilesystem=true."
foreach:
- list: "request.object.spec.containers"
pattern:
securityContext:
readOnlyRootFilesystem: true
- list: "request.object.spec.initContainers"
pattern:
securityContext:
readOnlyRootFilesystem: true
- list: "request.object.spec.ephemeralContainers"
pattern:
securityContext:
readOnlyRootFilesystem: true

View file

@ -0,0 +1,53 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-requests-limits
annotations:
argocd.argoproj.io/sync-wave: "0"
policies.kyverno.io/title: Enforce Resource Requests and Limits
policies.kyverno.io/description: >-
Guarantees cluster stability by requiring all application containers
to explicitly declare CPU and Memory requests and limits.
spec:
validationFailureAction: Enforce
background: true
rules:
- name: validate-resources
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- default
- kube-system
- kube-public
- kube-node-lease
- argocd
- kyverno
- cilium-ingress
- cilium-secrets
- cert-manager
- sealed-secrets
- nfs-subdir-external-provisioner
- monitoring
- tekton-pipelines-resolvers
- tekton-pipelines
- pipelines-as-code
- cicd
validate:
message: "Resource discipline violation: Containers must declare cpu/memory requests and limits."
pattern:
spec:
containers:
- name: "*"
resources:
requests:
cpu: "?*" # Must not be empty
memory: "?*" # Must not be empty
limits:
cpu: "?*" # Must not be empty
memory: "?*" # Must not be empty

View file

@ -0,0 +1,52 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-seccomp-runtime-default
spec:
validationFailureAction: Enforce
background: true
rules:
- name: require-pod-seccomp-runtime-default
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Pod seccompProfile.type must be RuntimeDefault."
pattern:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
- name: require-container-seccomp-runtime-default
match:
any:
- resources:
kinds:
- Pod
validate:
message: "All containers must use RuntimeDefault seccomp."
foreach:
- list: "request.object.spec.containers"
pattern:
securityContext:
seccompProfile:
type: RuntimeDefault
- list: "request.object.spec.initContainers"
pattern:
securityContext:
seccompProfile:
type: RuntimeDefault
- list: "request.object.spec.ephemeralContainers"
pattern:
securityContext:
seccompProfile:
type: RuntimeDefault