Add dockerfile samples

catalog/dockerfile/dockerfile-deny-expose-22.yaml

@@ -0,0 +1,18 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: dockerfile-deny-expose-port-22
+  labels:
+    dockerfile.tags.kyverno.io: 'dockerfile'
+  annotations:
+    title.policy.kyverno.io: Dockerfile expose port 22 not allowed
+    description.policy.kyverno.io: This Policy ensures that port 22 is not exposed in Dockerfile.
+spec:
+  rules:
+    - name: check-port-exposure
+      assert:
+        all:
+        - message: "Port 22 exposure is not allowed"
+          check:
+            ~.(Stages[].Commands[?Name=='EXPOSE'][]):
+              (contains(Ports, '22') || contains(Ports, '22/TCP')): false

catalog/dockerfile/dockerfile-deny-latest-image.yaml

@@ -0,0 +1,18 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: dockerfile-deny-latest-image-tag
+  labels:
+    dockerfile.tags.kyverno.io: 'dockerfile'
+  annotations:
+    title.policy.kyverno.io: Dockerfile latest image tag not allowed
+    description.policy.kyverno.io: This Policy ensures that no image uses the latest tag in Dockerfile.
+spec:
+  rules:
+    - name: check-latest-tag
+      assert:
+        all:
+        - message: "Latest tag is not allowed"
+          check:
+            ~.(Stages[].From.Image):
+              (contains(@, ':latest')): false

catalog/dockerfile/dockerfile-disallow-apt.yaml

@@ -0,0 +1,18 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: dockerfile-disallow-apt
+  labels:
+    dockerfile.tags.kyverno.io: 'dockerfile'
+  annotations:
+    title.policy.kyverno.io: Ensure apt is not used in Dockerfile
+    description.policy.kyverno.io: This Policy ensures that apt isnt used but apt-get can be used as apt interface is less stable than apt-get and so this preferred.
+spec:
+  rules:
+    - name: dockerfile-disallow-apt
+      assert:
+        any:
+        - message: "apt not allowed"
+          check:
+            ~.(Stages[].Commands[].CmdLine[]):
+              (contains(@, 'apt ')) : false

catalog/dockerfile/dockerfile-disallow-last-user-root.yaml

@@ -0,0 +1,17 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: dockerfile-disallow-last-user-root
+  labels:
+    dockerfile.tags.kyverno.io: 'dockerfile'
+  annotations:
+    title.policy.kyverno.io: Dockerfile last user is not allowed to be root
+    description.policy.kyverno.io: This Policy ensures that last user in Dockerfile is not root.
+spec:
+  rules:
+    - name: check-disallow-last-user-root
+      assert:
+        all:
+        - message: "Last user root not allowed"
+          check:
+            ((Stages[].Commands[?Name == 'USER'][])[-1].User == 'root'): false

catalog/dockerfile/dockerfile-disallow-sudo.yaml

@@ -0,0 +1,18 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: dockerfile-disallow-sudo
+  labels:
+    dockerfile.tags.kyverno.io: 'dockerfile'
+  annotations:
+    title.policy.kyverno.io: Ensure sudo is not used in Dockerfile
+    description.policy.kyverno.io: This Policy ensures that sudo isn’t used.
+spec:
+  rules:
+    - name: dockerfile-disallow-sudo
+      assert:
+        all:
+        - message: "sudo not allowed"
+          check:
+            ~.(Stages[].Commands[].CmdLine[]):
+              (contains(@, 'sudo')) : false 

website/docs/catalog/policies/dockerfile/dockerfile-deny-expose-22.md

@@ -0,0 +1,51 @@
+---
+tags:
+- dockerfile
+---
+# Dockerfile expose port 22 not allowed
+
+## Description
+
+This Policy ensures that port 22 is not exposed in Dockerfile.
+
+## Install
+
+### In cluster
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml
+```
+
+### Download locally
+
+```bash
+curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml
+```
+
+## Manifest
+
+[Original policy](https://github.com/kyverno/kyverno-json/blob/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml)
+[Raw](https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml)
+
+```yaml
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  annotations:
+    description.policy.kyverno.io: This Policy ensures that port 22 is not exposed
+      in Dockerfile.
+    title.policy.kyverno.io: Dockerfile expose port 22 not allowed
+  creationTimestamp: null
+  labels:
+    dockerfile.tags.kyverno.io: dockerfile
+  name: dockerfile-deny-expose-port-22
+spec:
+  rules:
+  - assert:
+      all:
+      - check:
+          ~.(Stages[].Commands[?Name=='EXPOSE'][]):
+            (contains(Ports, '22') || contains(Ports, '22/TCP')): false
+        message: Port 22 exposure is not allowed
+    name: check-port-exposure
+```

website/docs/catalog/policies/dockerfile/dockerfile-deny-latest-image.md

@@ -0,0 +1,51 @@
+---
+tags:
+- dockerfile
+---
+# Dockerfile latest image tag not allowed
+
+## Description
+
+This Policy ensures that no image uses the latest tag in Dockerfile.
+
+## Install
+
+### In cluster
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml
+```
+
+### Download locally
+
+```bash
+curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml
+```
+
+## Manifest
+
+[Original policy](https://github.com/kyverno/kyverno-json/blob/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml)
+[Raw](https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml)
+
+```yaml
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  annotations:
+    description.policy.kyverno.io: This Policy ensures that no image uses the latest
+      tag in Dockerfile.
+    title.policy.kyverno.io: Dockerfile latest image tag not allowed
+  creationTimestamp: null
+  labels:
+    dockerfile.tags.kyverno.io: dockerfile
+  name: dockerfile-deny-latest-image-tag
+spec:
+  rules:
+  - assert:
+      all:
+      - check:
+          ~.(Stages[].From.Image):
+            (contains(@, ':latest')): false
+        message: Latest tag is not allowed
+    name: check-latest-tag
+```

website/docs/catalog/policies/dockerfile/dockerfile-disallow-apt.md

@@ -0,0 +1,51 @@
+---
+tags:
+- dockerfile
+---
+# Ensure apt is not used in Dockerfile
+
+## Description
+
+This Policy ensures that apt isnt used but apt-get can be used as apt interface is less stable than apt-get and so this preferred.
+
+## Install
+
+### In cluster
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml
+```
+
+### Download locally
+
+```bash
+curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml
+```
+
+## Manifest
+
+[Original policy](https://github.com/kyverno/kyverno-json/blob/main/catalog/dockerfile/dockerfile-disallow-apt.yaml)
+[Raw](https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml)
+
+```yaml
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  annotations:
+    description.policy.kyverno.io: This Policy ensures that apt isnt used but apt-get
+      can be used as apt interface is less stable than apt-get and so this preferred.
+    title.policy.kyverno.io: Ensure apt is not used in Dockerfile
+  creationTimestamp: null
+  labels:
+    dockerfile.tags.kyverno.io: dockerfile
+  name: dockerfile-disallow-apt
+spec:
+  rules:
+  - assert:
+      any:
+      - check:
+          ~.(Stages[].Commands[].CmdLine[]):
+            (contains(@, 'apt ')): false
+        message: apt not allowed
+    name: dockerfile-disallow-apt
+```

website/docs/catalog/policies/dockerfile/dockerfile-disallow-last-user-root.md

@@ -0,0 +1,50 @@
+---
+tags:
+- dockerfile
+---
+# Dockerfile last user is not allowed to be root
+
+## Description
+
+This Policy ensures that last user in Dockerfile is not root.
+
+## Install
+
+### In cluster
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml
+```
+
+### Download locally
+
+```bash
+curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml
+```
+
+## Manifest
+
+[Original policy](https://github.com/kyverno/kyverno-json/blob/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml)
+[Raw](https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml)
+
+```yaml
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  annotations:
+    description.policy.kyverno.io: This Policy ensures that last user in Dockerfile
+      is not root.
+    title.policy.kyverno.io: Dockerfile last user is not allowed to be root
+  creationTimestamp: null
+  labels:
+    dockerfile.tags.kyverno.io: dockerfile
+  name: dockerfile-disallow-last-user-root
+spec:
+  rules:
+  - assert:
+      all:
+      - check:
+          ((Stages[].Commands[?Name == 'USER'][])[-1].User == 'root'): false
+        message: Last user root not allowed
+    name: check-disallow-last-user-root
+```

website/docs/catalog/policies/dockerfile/dockerfile-disallow-sudo.md

@@ -0,0 +1,50 @@
+---
+tags:
+- dockerfile
+---
+# Ensure sudo is not used in Dockerfile
+
+## Description
+
+This Policy ensures that sudo isn’t used.
+
+## Install
+
+### In cluster
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml
+```
+
+### Download locally
+
+```bash
+curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml
+```
+
+## Manifest
+
+[Original policy](https://github.com/kyverno/kyverno-json/blob/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml)
+[Raw](https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml)
+
+```yaml
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  annotations:
+    description.policy.kyverno.io: This Policy ensures that sudo isn’t used.
+    title.policy.kyverno.io: Ensure sudo is not used in Dockerfile
+  creationTimestamp: null
+  labels:
+    dockerfile.tags.kyverno.io: dockerfile
+  name: dockerfile-disallow-sudo
+spec:
+  rules:
+  - assert:
+      all:
+      - check:
+          ~.(Stages[].Commands[].CmdLine[]):
+            (contains(@, 'sudo')): false
+        message: sudo not allowed
+    name: dockerfile-disallow-sudo
+```

website/mkdocs.yaml

@@ -39,6 +39,11 @@ nav:
 - Policies:
   - catalog/index.md
   - All:
+    - catalog/policies/dockerfile/dockerfile-deny-expose-22.md
+    - catalog/policies/dockerfile/dockerfile-deny-latest-image.md
+    - catalog/policies/dockerfile/dockerfile-disallow-apt.md
+    - catalog/policies/dockerfile/dockerfile-disallow-last-user-root.md
+    - catalog/policies/dockerfile/dockerfile-disallow-sudo.md
     - catalog/policies/ecs/ecs-cluster-enable-logging.md
     - catalog/policies/ecs/ecs-cluster-required-container-insights.md
     - catalog/policies/ecs/ecs-service-public-ip.md