add kyverno policies

Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-05-27 19:23:54 -04:00
parent 4be877e419
commit baa0216960
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
35 changed files with 843 additions and 39 deletions

View file

@ -0,0 +1,35 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-namespace
spec:
validationFailureAction: Enforce
background: true
rules:
- name: no-host-namespaces
match:
any:
- resources:
kinds:
- Pod
- Deployment
- StatefulSet
- DaemonSet
validate:
message: "Host networking, PID, and IPC are not allowed."
deny:
conditions:
any:
- key: "{{ request.object.spec.hostNetwork || false }}"
operator: Equals
value: true
- key: "{{ request.object.spec.hostPID || false }}"
operator: Equals
value: true
- key: "{{ request.object.spec.hostIPC || false }}"
operator: Equals
value: true

View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-hostpath-volumes
spec:
validationFailureAction: Enforce
rules:
- name: no-hostpath
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "hostPath volumes are not allowed (escape risk)."
pattern:
spec:
volumes:
- (hostPath): null

View file

@ -0,0 +1,38 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Enforce
background: true
rules:
- name: validate-image-tag
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
selector:
matchExpressions:
- key: app.kubernetes.io/managed-by
operator: In
values:
- tekton-pipelines
- key: tekton.dev/task
operator: Exists
validate:
message: "Using the 'latest' tag or omitting image tags is forbidden. Use a specific version semantic tag."
foreach:
- list: "request.object.spec.containers"
deny:
conditions:
any:
- key: "{{ regex_match('^.*:latest$', '{{ element.image }}') }}"
operator: Equals
value: true
- key: "{{ !contains('{{ element.image }}', ':') }}"
operator: Equals
value: true

View file

@ -0,0 +1,48 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged-containers
annotations:
policies.kyverno.io/title: Disallow Privileged Containers
policies.kyverno.io/category: Pod Security
policies.kyverno.io/severity: critical
spec:
validationFailureAction: Enforce
background: true
rules:
- name: disallow-privileged
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Privileged containers are not allowed."
foreach:
- list: "request.object.spec.containers"
deny:
conditions:
any:
- key: "{{ element.securityContext.privileged || `false` }}"
operator: Equals
value: true
- list: "request.object.spec.initContainers || []"
deny:
conditions:
any:
- key: "{{ element.securityContext.privileged || `false` }}"
operator: Equals
value: true
- list: "request.object.spec.ephemeralContainers || []"
deny:
conditions:
any:
- key: "{{ element.securityContext.privileged || `false` }}"
operator: Equals
value: true

View file

@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- disallow-host-namespace.yaml
- disallow-hostpath-volumes.yaml
- disallow-latest-tag.yaml
- disallow-privileged-containers.yaml
commonLabels:
app.kubernetes.io/part-of: kyverno-policies
policy-tier: disallow
commonAnnotations:
argocd.argoproj.io/sync-wave: "2"