Skip to content

Commit

Permalink
Merge pull request #488 from chipzoller/main
Browse files Browse the repository at this point in the history
Policy updates
  • Loading branch information
chipzoller authored Jan 13, 2023
2 parents 3b81b48 + 1e7c4fe commit 2c8be70
Show file tree
Hide file tree
Showing 70 changed files with 749 additions and 315 deletions.
16 changes: 9 additions & 7 deletions best-practices/add_safe_to_evict/add_safe_to_evict.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ metadata:
annotations:
policies.kyverno.io/category: Other
policies.kyverno.io/subject: Pod,Annotation
policies.kyverno.io/minversion: 1.4.3
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/description: >-
The Kubernetes cluster autoscaler does not evict pods that
use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation
Expand All @@ -14,9 +14,10 @@ spec:
rules:
- name: annotate-empty-dir
match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
metadata:
Expand All @@ -27,9 +28,10 @@ spec:
- <(emptyDir): {}
- name: annotate-host-path
match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
metadata:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ metadata:
annotations:
policies.kyverno.io/title: Disallow empty Ingress host
policies.kyverno.io/category: Best Practices
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Ingress
policies.kyverno.io/description: >-
Expand All @@ -17,9 +18,10 @@ spec:
rules:
- name: disallow-empty-ingress-host
match:
resources:
kinds:
- Ingress
any:
- resources:
kinds:
- Ingress
validate:
message: "The Ingress host name must be defined, not empty."
deny:
Expand Down
8 changes: 5 additions & 3 deletions best-practices/disallow_helm_tiller/disallow_helm_tiller.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ metadata:
annotations:
policies.kyverno.io/title: Disallow Helm Tiller
policies.kyverno.io/category: Sample
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Expand All @@ -19,9 +20,10 @@ spec:
rules:
- name: validate-helm-tiller
match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
validate:
message: "Helm Tiller is not allowed"
pattern:
Expand Down
15 changes: 9 additions & 6 deletions best-practices/disallow_latest_tag/disallow_latest_tag.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ metadata:
annotations:
policies.kyverno.io/title: Disallow Latest Tag
policies.kyverno.io/category: Best Practices
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Expand All @@ -18,9 +19,10 @@ spec:
rules:
- name: require-image-tag
match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
validate:
message: "An image tag is required."
pattern:
Expand All @@ -29,9 +31,10 @@ spec:
- image: "*:*"
- name: validate-image-tag
match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
validate:
message: "Using a mutable image tag e.g. 'latest' is not allowed."
pattern:
Expand Down
8 changes: 5 additions & 3 deletions best-practices/require_labels/require_labels.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ metadata:
annotations:
policies.kyverno.io/title: Require Labels
policies.kyverno.io/category: Best Practices
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod, Label
policies.kyverno.io/description: >-
Expand All @@ -18,9 +19,10 @@ spec:
rules:
- name: check-for-labels
match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
validate:
message: "The label `app.kubernetes.io/name` is required."
pattern:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ metadata:
annotations:
policies.kyverno.io/title: Restrict External IPs
policies.kyverno.io/category: Best Practices
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Service
policies.kyverno.io/description: >-
Expand All @@ -18,9 +19,10 @@ spec:
rules:
- name: check-ips
match:
resources:
kinds:
- Service
any:
- resources:
kinds:
- Service
validate:
message: "externalIPs are not allowed."
pattern:
Expand Down
8 changes: 5 additions & 3 deletions best-practices/restrict_node_port/restrict_node_port.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ metadata:
annotations:
policies.kyverno.io/title: Disallow NodePort
policies.kyverno.io/category: Best Practices
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Service
policies.kyverno.io/description: >-
Expand All @@ -19,9 +20,10 @@ spec:
rules:
- name: validate-nodeport
match:
resources:
kinds:
- Service
any:
- resources:
kinds:
- Service
validate:
message: "Services of type NodePort are not allowed."
pattern:
Expand Down
16 changes: 9 additions & 7 deletions cert-manager/limit-dnsnames/limit-dnsnames.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ metadata:
policies.kyverno.io/title: Limit dnsNames
policies.kyverno.io/category: Cert-Manager
policies.kyverno.io/severity: medium
policies.kyverno.io/minversion: 1.3.6
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/subject: Certificate
policies.kyverno.io/description: >-
Some applications will not accept certificates containing more than a single name.
Expand All @@ -18,13 +18,15 @@ spec:
rules:
- name: limit-dnsnames
match:
resources:
kinds:
- Certificate
any:
- resources:
kinds:
- Certificate
validate:
message: Only one dnsNames entry allowed per certificate request.
deny:
conditions:
- key: "{{request.object.spec.dnsNames || `[]` | length(@)}}"
operator: GreaterThan
value: "1"
all:
- key: "{{request.object.spec.dnsNames || `[]` | length(@)}}"
operator: GreaterThan
value: "1"
16 changes: 9 additions & 7 deletions cert-manager/limit-duration/limit-duration.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ metadata:
policies.kyverno.io/title: Certificate max duration 100 days
policies.kyverno.io/category: Cert-Manager
policies.kyverno.io/severity: medium
policies.kyverno.io/minversion: 1.3.6
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/subject: Certificate
policies.kyverno.io/description: >-
Kubernetes managed non-letsencrypt certificates have to be renewed in every 100 days.
Expand All @@ -16,9 +16,10 @@ spec:
rules:
- name: certificate-duration-max-100days
match:
resources:
kinds:
- Certificate
any:
- resources:
kinds:
- Certificate
preconditions:
all:
- key: "{{ contains(request.object.spec.issuerRef.name, 'letsencrypt') }}"
Expand All @@ -31,6 +32,7 @@ spec:
message: "certificate duration must be < than 2400h (100 days)"
deny:
conditions:
- key: "{{ max( [ to_number(regex_replace_all('h.*',request.object.spec.duration,'')), to_number('2400') ] ) }}"
operator: NotEquals
value: 2400
all:
- key: "{{ max( [ to_number(regex_replace_all('h.*',request.object.spec.duration,'')), to_number('2400') ] ) }}"
operator: NotEquals
value: 2400
7 changes: 4 additions & 3 deletions cert-manager/restrict-issuer/restrict-issuer.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,10 @@ spec:
rules:
- name: restrict-corp-cert-issuer
match:
resources:
kinds:
- Certificate
any:
- resources:
kinds:
- Certificate
validate:
message: When requesting a cert for this domain, you must use our corporate issuer.
pattern:
Expand Down
53 changes: 27 additions & 26 deletions consul/enforce-min-tls-version/enforce-min-tls-version.yaml
Original file line number Diff line number Diff line change
@@ -1,30 +1,31 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: enforce-min-tls-version
annotations:
policies.kyverno.io/title: Enforce Consul min TLS version
policies.kyverno.io/category: Consul
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Mesh
kyverno.io/kyverno-version: 1.8.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.24"
policies.kyverno.io/description: >-
This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer.
name: enforce-min-tls-version
annotations:
policies.kyverno.io/title: Enforce Consul min TLS version
policies.kyverno.io/category: Consul
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Mesh
kyverno.io/kyverno-version: 1.8.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.24"
policies.kyverno.io/description: >-
This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer.
spec:
validationFailureAction: enforce
background: true
rules:
- name: check-for-tls-version
match:
resources:
kinds:
- Mesh
validate:
message: The minimum version of TLS is TLS v1_2
pattern:
spec:
tls:
incoming:
tlsMinVersion: TLSv1_2
validationFailureAction: enforce
background: true
rules:
- name: check-for-tls-version
match:
any:
- resources:
kinds:
- Mesh
validate:
message: The minimum version of TLS is TLS v1_2
pattern:
spec:
tls:
incoming:
tlsMinVersion: TLSv1_2
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ metadata:
policies.kyverno.io/title: Add Default securityContext
policies.kyverno.io/category: Sample
policies.kyverno.io/subject: Pod
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/description: >-
A Pod securityContext entry defines fields such as the user and group which should be used to run the Pod.
Sometimes choosing default values for users rather than blocking is a better alternative to not impede
Expand All @@ -15,9 +16,10 @@ spec:
rules:
- name: add-default-securitycontext
match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
Expand Down
Loading

0 comments on commit 2c8be70

Please sign in to comment.