Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update disallow-helm-tiller and disallow-latest-tag to include all container types in a pod #1111

Merged
merged 38 commits into from
Aug 14, 2024
Merged
Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
74863db
Update disallow-helm-tiller.yaml
dolisss Aug 5, 2024
6313df2
Update artifacthub-pkg.yml
dolisss Aug 5, 2024
ab78502
Merge branch 'kyverno:main' into main
dolisss Aug 6, 2024
f7c7605
Update disallow-latest-tag.yaml
dolisss Aug 6, 2024
ca010a2
Update artifacthub-pkg.yml
dolisss Aug 6, 2024
63c511e
Update bad-pod-latest-fail-first.yaml
dolisss Aug 6, 2024
0f4cf5b
Update bad-pod-latest-success-first.yaml
dolisss Aug 6, 2024
5e6cb53
Update bad-pod-no-tag.yaml
dolisss Aug 6, 2024
3b18868
Update good-pod.yaml
dolisss Aug 6, 2024
a773ac7
Update bad-deploy.yaml
dolisss Aug 6, 2024
4381b0e
Update bad-pod-fail-first.yaml
dolisss Aug 6, 2024
7f26eca
Update bad-pod.yaml
dolisss Aug 6, 2024
7e95415
Update bad-pod-success-first.yaml
dolisss Aug 6, 2024
f535163
Update good-deploy.yaml
dolisss Aug 6, 2024
7a425ba
Update good-pod.yaml
dolisss Aug 6, 2024
48db9a2
Update disallow-latest-tag.yaml
dolisss Aug 6, 2024
9324628
Update disallow-helm-tiller.yaml
dolisss Aug 6, 2024
1e998b2
Update artifacthub-pkg.yml
dolisss Aug 6, 2024
ba7245b
Update artifacthub-pkg.yml
dolisss Aug 6, 2024
34a48e7
Merge branch 'kyverno:main' into main
dolisss Aug 7, 2024
408fe22
Update artifacthub-pkg.yml
dolisss Aug 7, 2024
3df3b44
Update artifacthub-pkg.yml
dolisss Aug 7, 2024
c2b114c
Merge branch 'main' into main
dolisss Aug 12, 2024
72e9cdc
Update artifacthub-pkg.yml
dolisss Aug 12, 2024
6eae741
Merge branch 'main' into main
dolisss Aug 13, 2024
44f4af4
Update artifacthub-pkg.yml
dolisss Aug 13, 2024
f46de98
Update good-pod.yaml
dolisss Aug 14, 2024
ccef2ff
Update bad-deploy.yaml
dolisss Aug 14, 2024
4ef4d04
Update bad-pod-fail-first.yaml
dolisss Aug 14, 2024
74ebde2
Update bad-pod-success-first.yaml
dolisss Aug 14, 2024
c5c11af
Update bad-pod.yaml
dolisss Aug 14, 2024
51446a1
Update good-deploy.yaml
dolisss Aug 14, 2024
7ef7667
Update resource.yaml
dolisss Aug 14, 2024
95207a9
Update bad-pod-latest-fail-first.yaml
dolisss Aug 14, 2024
f235ddb
Update bad-pod-latest-success-first.yaml
dolisss Aug 14, 2024
82a713b
Update bad-pod-no-tag.yaml
dolisss Aug 14, 2024
649f864
Update good-pod.yaml
dolisss Aug 14, 2024
051e3b9
Update resource.yaml
dolisss Aug 14, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,8 @@ spec:
name: busybox
- image: docker.io/tiller:latest
name: helm-tiller
initContainers:
- image: busybox
name: busybox
- image: docker.io/tiller:latest
name: helm-tiller
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,8 @@ spec:
image: docker.io/tiller:latest
- name: somebox
image: busybox:1.35
initContainers:
- name: helm-tiller
image: docker.io/tiller:latest
- name: somebox
image: busybox:1.35
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,9 @@ spec:
- name: somebox
image: busybox:1.35
- name: helm-tiller
image: docker.io/tiller:latest
image: docker.io/tiller:latest
initContainers:
- name: somebox
image: busybox:1.35
- name: helm-tiller
image: docker.io/tiller:latest
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,7 @@ metadata:
spec:
containers:
- name: helm-tiller
image: docker.io/tiller:latest
image: docker.io/tiller:latest
initContainers:
- name: helm-tiller
image: docker.io/tiller:latest
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,8 @@ spec:
containers:
- image: busybox:v1.35
name: busybox
command: ["sleep", "3600"]
command: ["sleep", "3600"]
initContainers:
- image: busybox:v1.35
name: busybox
command: ["sleep", "3600"]
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,9 @@ spec:
- name: busybox
image: busybox:v1.35
- name: nothelmbox
image: busybox:v1.35
image: busybox:v1.35
initContainers:
- name: busybox
image: busybox:v1.35
- name: nothelmbox
image: busybox:v1.35
2 changes: 1 addition & 1 deletion best-practices/disallow-helm-tiller/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
digest: 6de64a4a8d611c250dc0190b28b6c757db531063161531e4f68202c0fbda5be4
digest: 3d92f3a2949283ad6d9baa99565e407c5cd78d015e0220750de522ac40ce1de2
17 changes: 11 additions & 6 deletions best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ metadata:
policies.kyverno.io/description: >-
Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared
resource accessible to any authenticated user. Tiller can lead to privilege escalation as
restricted users can impact other users. It is recommend to use Helm v3+ which does not contain
restricted users can impact other users. It is recommended to use Helm v3+ which does not contain
Tiller for these reasons. This policy validates that there is not an image
containing the name `tiller`.
spec:
Expand All @@ -26,8 +26,13 @@ spec:
- Pod
validate:
message: "Helm Tiller is not allowed"
pattern:
spec:
containers:
- name: "*"
image: "!*tiller*"
foreach:
- list: "request.object.spec.containers"
pattern:
image: "!*tiller*"
- list: "request.object.spec.initContainers"
pattern:
image: "!*tiller*"
- list: "request.object.spec.ephemeralContainers"
pattern:
image: "!*tiller*"
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,9 @@ spec:
- name: busybox
image: busybox:latest
- name: nginx
image: nginx:1.35
image: nginx:1.35
initContainers:
- name: busybox
image: busybox:latest
- name: nginx
image: nginx:1.35
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,9 @@ spec:
- name: nginx
image: nginx:1.35
- name: busybox
image: busybox:latest
image: busybox:latest
initContainers:
- name: nginx
image: nginx:1.35
- name: busybox
image: busybox:latest
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ spec:
image: busybox
- name: nginx
image: nginx:1.35
initContainers:
- name: busybox
image: busybox
- name: nginx
image: nginx:1.35
---
apiVersion: v1
kind: Pod
Expand All @@ -19,6 +24,11 @@ spec:
image: nginx:1.35
- name: busybox
image: busybox
initContainers:
- name: nginx
image: nginx:1.35
- name: busybox
image: busybox
---
apiVersion: v1
kind: Pod
Expand All @@ -29,4 +39,9 @@ spec:
- name: busybox
image: busybox
- name: nginx
image: nginx:latest
image: nginx:latest
initContainers:
- name: busybox
image: busybox
- name: nginx
image: nginx:latest
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,7 @@ metadata:
spec:
containers:
- name: busybox
image: busybox:v1.35
image: busybox:v1.35
initContainers:
- name: busybox
image: busybox:v1.35
2 changes: 1 addition & 1 deletion best-practices/disallow-latest-tag/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Best Practices"
kyverno/subject: "Pod"
digest: 3d19e0d8f2637eca9ad1d700f4fbf556aaa31221ff6c40698b9aadda1f41adb4
digest: 2760272e57d9988ba447f62d23bba382092d00a5e14dbf00555e4170ea90593a
28 changes: 20 additions & 8 deletions best-practices/disallow-latest-tag/disallow-latest-tag.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,16 @@ spec:
- Pod
validate:
message: "An image tag is required."
pattern:
spec:
containers:
- image: "*:*"
foreach:
- list: "request.object.spec.containers"
pattern:
image: "*:*"
- list: "request.object.spec.initContainers"
pattern:
image: "*:*"
- list: "request.object.spec.ephemeralContainers"
pattern:
image: "*:*"
- name: validate-image-tag
match:
any:
Expand All @@ -37,7 +43,13 @@ spec:
- Pod
validate:
message: "Using a mutable image tag e.g. 'latest' is not allowed."
pattern:
spec:
containers:
- image: "!*:latest"
foreach:
- list: "request.object.spec.containers"
pattern:
image: "!*:latest"
- list: "request.object.spec.initContainers"
pattern:
image: "!*:latest"
- list: "request.object.spec.ephemeralContainers"
pattern:
image: "!*:latest"
Loading