add kyverno policies
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
4be877e419
commit
baa0216960
35 changed files with 843 additions and 39 deletions
17
platform/kyverno/policies/20-require/kustomization.yaml
Normal file
17
platform/kyverno/policies/20-require/kustomization.yaml
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- require-drop-all-capabilities.yaml
|
||||
- require-no-privilege-escalation.yaml
|
||||
- require-non-root.yaml
|
||||
- require-readonly-root-filesystem.yaml
|
||||
- require-requests-limits.yaml
|
||||
- require-seccomp-runtime-default.yaml
|
||||
|
||||
commonLabels:
|
||||
app.kubernetes.io/part-of: kyverno-policies
|
||||
policy-tier: require
|
||||
|
||||
commonAnnotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-drop-all-capabilities
|
||||
annotations:
|
||||
policies.kyverno.io/title: Require Dropping Linux Capabilities
|
||||
policies.kyverno.io/category: Pod Security
|
||||
policies.kyverno.io/severity: high
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: true
|
||||
|
||||
rules:
|
||||
- name: require-drop-all-capabilities
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
|
||||
validate:
|
||||
message: "All containers must drop ALL Linux capabilities."
|
||||
|
||||
foreach:
|
||||
- list: "request.object.spec.containers"
|
||||
pattern:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
||||
- list: "request.object.spec.initContainers"
|
||||
pattern:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
||||
- list: "request.object.spec.ephemeralContainers"
|
||||
pattern:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-no-privilege-escalation
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: true
|
||||
|
||||
rules:
|
||||
- name: require-no-privilege-escalation
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
|
||||
validate:
|
||||
message: "allowPrivilegeEscalation must be false."
|
||||
|
||||
foreach:
|
||||
- list: "request.object.spec.containers"
|
||||
deny:
|
||||
conditions:
|
||||
any:
|
||||
- key: "{{ element.securityContext.allowPrivilegeEscalation || `false` }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
|
||||
- list: "request.object.spec.initContainers || []"
|
||||
deny:
|
||||
conditions:
|
||||
any:
|
||||
- key: "{{ element.securityContext.allowPrivilegeEscalation || `false` }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
|
||||
- list: "request.object.spec.ephemeralContainers || []"
|
||||
deny:
|
||||
conditions:
|
||||
any:
|
||||
- key: "{{ element.securityContext.allowPrivilegeEscalation || `false` }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
52
platform/kyverno/policies/20-require/require-non-root.yaml
Normal file
52
platform/kyverno/policies/20-require/require-non-root.yaml
Normal file
|
|
@ -0,0 +1,52 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-non-root
|
||||
annotations:
|
||||
policies.kyverno.io/title: Require Non-Root Containers
|
||||
policies.kyverno.io/category: Pod Security
|
||||
policies.kyverno.io/severity: high
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: true
|
||||
|
||||
rules:
|
||||
- name: require-pod-run-as-non-root
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
|
||||
validate:
|
||||
message: "Pods must set runAsNonRoot=true."
|
||||
pattern:
|
||||
spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
||||
- name: require-container-run-as-non-root
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
|
||||
validate:
|
||||
message: "All containers must set runAsNonRoot=true."
|
||||
|
||||
foreach:
|
||||
- list: "request.object.spec.containers"
|
||||
pattern:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
||||
- list: "request.object.spec.initContainers"
|
||||
pattern:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
||||
- list: "request.object.spec.ephemeralContainers"
|
||||
pattern:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-readonly-root-filesystem
|
||||
annotations:
|
||||
policies.kyverno.io/title: Require Read-Only Root Filesystem
|
||||
policies.kyverno.io/category: Pod Security
|
||||
policies.kyverno.io/severity: high
|
||||
spec:
|
||||
validationFailureAction: Audit
|
||||
background: true
|
||||
|
||||
rules:
|
||||
- name: require-readonly-root-filesystem
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
|
||||
validate:
|
||||
message: "Containers must use readOnlyRootFilesystem=true."
|
||||
|
||||
foreach:
|
||||
- list: "request.object.spec.containers"
|
||||
pattern:
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
|
||||
- list: "request.object.spec.initContainers"
|
||||
pattern:
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
|
||||
- list: "request.object.spec.ephemeralContainers"
|
||||
pattern:
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-requests-limits
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "0"
|
||||
policies.kyverno.io/title: Enforce Resource Requests and Limits
|
||||
policies.kyverno.io/description: >-
|
||||
Guarantees cluster stability by requiring all application containers
|
||||
to explicitly declare CPU and Memory requests and limits.
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: true
|
||||
rules:
|
||||
- name: validate-resources
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- default
|
||||
- kube-system
|
||||
- kube-public
|
||||
- kube-node-lease
|
||||
- argocd
|
||||
- kyverno
|
||||
- cilium-ingress
|
||||
- cilium-secrets
|
||||
- cert-manager
|
||||
- sealed-secrets
|
||||
- nfs-subdir-external-provisioner
|
||||
- monitoring
|
||||
- tekton-pipelines-resolvers
|
||||
- tekton-pipelines
|
||||
- pipelines-as-code
|
||||
- cicd
|
||||
validate:
|
||||
message: "Resource discipline violation: Containers must declare cpu/memory requests and limits."
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
resources:
|
||||
requests:
|
||||
cpu: "?*" # Must not be empty
|
||||
memory: "?*" # Must not be empty
|
||||
limits:
|
||||
cpu: "?*" # Must not be empty
|
||||
memory: "?*" # Must not be empty
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-seccomp-runtime-default
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: true
|
||||
|
||||
rules:
|
||||
- name: require-pod-seccomp-runtime-default
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
|
||||
validate:
|
||||
message: "Pod seccompProfile.type must be RuntimeDefault."
|
||||
pattern:
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
- name: require-container-seccomp-runtime-default
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
|
||||
validate:
|
||||
message: "All containers must use RuntimeDefault seccomp."
|
||||
|
||||
foreach:
|
||||
- list: "request.object.spec.containers"
|
||||
pattern:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
- list: "request.object.spec.initContainers"
|
||||
pattern:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
- list: "request.object.spec.ephemeralContainers"
|
||||
pattern:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
Loading…
Add table
Add a link
Reference in a new issue