From 73624453056ac06d2c3c72575b4d15c9bbc374c3 Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Sun, 8 Jan 2023 08:26:04 -0500 Subject: [PATCH 01/11] add rule to policy-for-exceptions Signed-off-by: Chip Zoller --- .../policy-for-exceptions.yaml | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/other/policy-for-exceptions/policy-for-exceptions.yaml b/other/policy-for-exceptions/policy-for-exceptions.yaml index 694c2ef2f..a2958cad1 100644 --- a/other/policy-for-exceptions/policy-for-exceptions.yaml +++ b/other/policy-for-exceptions/policy-for-exceptions.yaml @@ -85,6 +85,23 @@ spec: deny: conditions: any: - - key: "{{ request.object.spec.match.[any, all][].resources[].namespaces[] }}" + - key: "{{ request.object.spec.match.[any, all][].resources[].namespaces[] || `[]`}}" operator: AnyNotIn - value: "{{ request.namespace }}" \ No newline at end of file + value: "{{ request.namespace }}" + - name: namespaced-exceptions-only + match: + any: + - resources: + kinds: + - PolicyException + validate: + message: >- + An exception can only be created for a Namespaced resource, and a Namespace is required. + foreach: + - list: request.object.spec.match.[any, all][] + deny: + conditions: + any: + - key: "{{ element.resources.namespaces[] || `[]` | length(@) }}" + operator: Equals + value: 0 From c1eec18fcd2d2490b644d7ceea668f9828a9900d Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Fri, 13 Jan 2023 09:11:49 -0500 Subject: [PATCH 02/11] add second rule to policy-for-exceptions Signed-off-by: Chip Zoller --- .../policy-for-exceptions.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/other/policy-for-exceptions/policy-for-exceptions.yaml b/other/policy-for-exceptions/policy-for-exceptions.yaml index a2958cad1..8c3cc3bf2 100644 --- a/other/policy-for-exceptions/policy-for-exceptions.yaml +++ b/other/policy-for-exceptions/policy-for-exceptions.yaml @@ -105,3 +105,25 @@ spec: - key: "{{ element.resources.namespaces[] || `[]` | length(@) }}" operator: Equals value: 0 + - name: policy-namespace-match-polex-namespace + match: + any: + - resources: + kinds: + - PolicyException + validate: + message: >- + An exception may not be provided for a Namespaced Policy in another Namespace. + foreach: + - list: request.object.spec.exceptions[] + preconditions: + any: + - key: "{{element.policyName}}" + operator: Equals + value: "*/*" + deny: + conditions: + any: + - key: "{{ element.policyName}}" + operator: NotEquals + value: "{{request.namespace}}/*" From f2f1ee19017bcf92eb7860e8b852e9272f1979dc Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Fri, 13 Jan 2023 10:11:12 -0500 Subject: [PATCH 03/11] update for any/all in match/exclude Signed-off-by: Chip Zoller --- .../add_safe_to_evict/add_safe_to_evict.yaml | 16 +++++----- .../disallow_empty_ingress_host.yaml | 8 +++-- .../disallow_helm_tiller.yaml | 8 +++-- .../disallow_latest_tag.yaml | 15 ++++++---- .../require_labels/require_labels.yaml | 8 +++-- .../restrict-service-external-ips.yaml | 8 +++-- .../restrict_node_port.yaml | 8 +++-- .../add-default-securitycontext.yaml | 8 +++-- .../add-image-as-env-var.yaml | 30 +++++++++++-------- .../add-imagepullsecrets.yaml | 9 +++--- other/add-pod-proxies/add-pod-proxies.yaml | 8 +++-- .../add_certificates_volume.yaml | 9 +++--- .../add-env-vars-from-cm.yaml | 8 +++-- other/add_labels/add_labels.yaml | 14 +++++---- other/add_ndots/add_ndots.yaml | 8 +++-- other/add_nodeSelector/add_nodeSelector.yaml | 8 +++-- .../add_node_affinity/add_node_affinity.yaml | 9 +++--- .../add_volume_deployment.yaml | 8 +++-- .../always-pull-images.yaml | 8 +++-- other/block-pod-exec-by-namespace-label.yaml | 9 +++--- other/block-pod-exec-by-namespace.yaml | 9 +++--- .../block-pod-exec-by-pod-and-container.yaml | 9 +++--- other/block-pod-exec-by-pod-label.yaml | 9 +++--- other/block-pod-exec-by-pod-name.yaml | 9 +++--- .../check_serviceaccount.yaml | 10 ++++--- .../create_pod_antiaffinity.yaml | 8 +++-- .../disable-automountserviceaccounttoken.yaml | 14 +++++---- .../disallow_all_secrets.yaml | 24 ++++++++------- .../disallow_localhost_services.yaml | 8 +++-- .../ensure_probes_different.yaml | 13 ++++---- .../exclude_namespaces_dynamically.yaml | 7 +++-- .../imagepullpolicy-always.yaml | 8 +++-- .../inject_sidecar_deployment.yaml | 8 +++-- .../limit_hostpath_type_pv.yaml | 8 +++-- .../limit-hostpath-vols.yaml | 7 +++-- .../limit_containers_per_pod.yaml | 29 ++++++++++-------- .../memory-requests-equal-limits.yaml | 29 ++++++++++-------- .../mitigate_log4shell.yaml | 15 ++++++---- .../mutate-large-termination-gps.yaml | 8 +++-- .../enforce_pod_duration.yaml | 9 +++--- .../prepend_image_registry.yaml | 2 +- .../protect-node-taints.yaml | 8 +++-- .../record-creation-details.yaml | 4 ++- ...re_deployments_have_multiple_replicas.yaml | 8 +++-- .../require_image_checksum.yaml | 8 +++-- other/require_netpol/require_netpol.yaml | 9 +++--- other/require_pdb/require_pdb.yaml | 2 +- .../restrict_annotations.yaml | 19 ++++++------ .../restrict_automount_sa_token.yaml | 8 +++-- .../restrict_controlplane_scheduling.yaml | 15 ++++++---- .../restrict_ingress_classes.yaml | 8 +++-- .../restrict_loadbalancer.yaml | 8 +++-- other/restrict_node_label_changes.yaml | 15 ++++++---- other/restrict_node_label_creation.yaml | 8 +++-- .../restrict_node_selection.yaml | 15 ++++++---- .../restrict_pod_count_per_node.yaml | 9 +++--- .../restrict_usergroup_fsgroup_id.yaml | 22 ++++++++------ .../spread_pods_across_topology.yaml | 14 +++++---- other/sync_secrets/sync_secrets.yaml | 8 +++-- 59 files changed, 375 insertions(+), 263 deletions(-) diff --git a/best-practices/add_safe_to_evict/add_safe_to_evict.yaml b/best-practices/add_safe_to_evict/add_safe_to_evict.yaml index 064ad2b68..58f115ccf 100644 --- a/best-practices/add_safe_to_evict/add_safe_to_evict.yaml +++ b/best-practices/add_safe_to_evict/add_safe_to_evict.yaml @@ -5,7 +5,7 @@ metadata: annotations: policies.kyverno.io/category: Other policies.kyverno.io/subject: Pod,Annotation - policies.kyverno.io/minversion: 1.4.3 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation @@ -14,9 +14,10 @@ spec: rules: - name: annotate-empty-dir match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod mutate: patchStrategicMerge: metadata: @@ -27,9 +28,10 @@ spec: - <(emptyDir): {} - name: annotate-host-path match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod mutate: patchStrategicMerge: metadata: diff --git a/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml b/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml index db74f1646..73a6a3e04 100644 --- a/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml +++ b/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml @@ -5,6 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Disallow empty Ingress host policies.kyverno.io/category: Best Practices + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Ingress policies.kyverno.io/description: >- @@ -17,9 +18,10 @@ spec: rules: - name: disallow-empty-ingress-host match: - resources: - kinds: - - Ingress + any: + - resources: + kinds: + - Ingress validate: message: "The Ingress host name must be defined, not empty." deny: diff --git a/best-practices/disallow_helm_tiller/disallow_helm_tiller.yaml b/best-practices/disallow_helm_tiller/disallow_helm_tiller.yaml index b93ae51bf..61dd8c74d 100644 --- a/best-practices/disallow_helm_tiller/disallow_helm_tiller.yaml +++ b/best-practices/disallow_helm_tiller/disallow_helm_tiller.yaml @@ -5,6 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Disallow Helm Tiller policies.kyverno.io/category: Sample + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- @@ -19,9 +20,10 @@ spec: rules: - name: validate-helm-tiller match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "Helm Tiller is not allowed" pattern: diff --git a/best-practices/disallow_latest_tag/disallow_latest_tag.yaml b/best-practices/disallow_latest_tag/disallow_latest_tag.yaml index 15e35acf2..c83cd565e 100644 --- a/best-practices/disallow_latest_tag/disallow_latest_tag.yaml +++ b/best-practices/disallow_latest_tag/disallow_latest_tag.yaml @@ -5,6 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Disallow Latest Tag policies.kyverno.io/category: Best Practices + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- @@ -18,9 +19,10 @@ spec: rules: - name: require-image-tag match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "An image tag is required." pattern: @@ -29,9 +31,10 @@ spec: - image: "*:*" - name: validate-image-tag match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "Using a mutable image tag e.g. 'latest' is not allowed." pattern: diff --git a/best-practices/require_labels/require_labels.yaml b/best-practices/require_labels/require_labels.yaml index 7db3954e3..f5108615f 100644 --- a/best-practices/require_labels/require_labels.yaml +++ b/best-practices/require_labels/require_labels.yaml @@ -5,6 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Require Labels policies.kyverno.io/category: Best Practices + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Label policies.kyverno.io/description: >- @@ -18,9 +19,10 @@ spec: rules: - name: check-for-labels match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "The label `app.kubernetes.io/name` is required." pattern: diff --git a/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml b/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml index 08964030e..4d5fdaa95 100644 --- a/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml +++ b/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml @@ -5,6 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Restrict External IPs policies.kyverno.io/category: Best Practices + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Service policies.kyverno.io/description: >- @@ -18,9 +19,10 @@ spec: rules: - name: check-ips match: - resources: - kinds: - - Service + any: + - resources: + kinds: + - Service validate: message: "externalIPs are not allowed." pattern: diff --git a/best-practices/restrict_node_port/restrict_node_port.yaml b/best-practices/restrict_node_port/restrict_node_port.yaml index 9965fdece..5c5cfdb21 100644 --- a/best-practices/restrict_node_port/restrict_node_port.yaml +++ b/best-practices/restrict_node_port/restrict_node_port.yaml @@ -5,6 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Disallow NodePort policies.kyverno.io/category: Best Practices + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Service policies.kyverno.io/description: >- @@ -19,9 +20,10 @@ spec: rules: - name: validate-nodeport match: - resources: - kinds: - - Service + any: + - resources: + kinds: + - Service validate: message: "Services of type NodePort are not allowed." pattern: diff --git a/other/add-default-securitycontext/add-default-securitycontext.yaml b/other/add-default-securitycontext/add-default-securitycontext.yaml index 55211b56c..b6fb072f2 100644 --- a/other/add-default-securitycontext/add-default-securitycontext.yaml +++ b/other/add-default-securitycontext/add-default-securitycontext.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Add Default securityContext policies.kyverno.io/category: Sample policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- A Pod securityContext entry defines fields such as the user and group which should be used to run the Pod. Sometimes choosing default values for users rather than blocking is a better alternative to not impede @@ -15,9 +16,10 @@ spec: rules: - name: add-default-securitycontext match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod mutate: patchStrategicMerge: spec: diff --git a/other/add-image-as-env-var/add-image-as-env-var.yaml b/other/add-image-as-env-var/add-image-as-env-var.yaml index e832de3f0..4e6c75d05 100644 --- a/other/add-image-as-env-var/add-image-as-env-var.yaml +++ b/other/add-image-as-env-var/add-image-as-env-var.yaml @@ -8,7 +8,7 @@ metadata: policies.kyverno.io/title: Add Image as Environment Variable policies.kyverno.io/category: Other policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.4.3 + policies.kyverno.io/minversion: 1.6.0 kyverno.io/kyverno-version: 1.6.2 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/subject: Pod @@ -27,9 +27,10 @@ spec: # One Pod - name: pod-containers-1-inject-image match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod preconditions: all: - key: "{{request.object.spec.containers[] | length(@)}}" @@ -43,9 +44,10 @@ spec: # Two or more Pods - name: pod-containers-2-inject-image match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod preconditions: all: - key: "{{request.object.spec.containers[] | length(@)}}" @@ -59,9 +61,10 @@ spec: # Deployment with one Pod - name: deploy-containers-1-inject-image match: - resources: - kinds: - - Deployment + any: + - resources: + kinds: + - Deployment preconditions: all: - key: "{{request.object.spec.template.spec.containers[] | length(@)}}" @@ -75,9 +78,10 @@ spec: # Deployment with two or more Pods - name: deploy-containers-2-inject-image match: - resources: - kinds: - - Deployment + any: + - resources: + kinds: + - Deployment preconditions: all: - key: "{{request.object.spec.template.spec.containers[] | length(@)}}" diff --git a/other/add-imagepullsecrets/add-imagepullsecrets.yaml b/other/add-imagepullsecrets/add-imagepullsecrets.yaml index ca8d3e7a3..97da96e2f 100644 --- a/other/add-imagepullsecrets/add-imagepullsecrets.yaml +++ b/other/add-imagepullsecrets/add-imagepullsecrets.yaml @@ -6,7 +6,7 @@ metadata: policies.kyverno.io/title: Add imagePullSecrets policies.kyverno.io/category: Sample policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.4.3 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Images coming from certain registries require authentication in order to pull them, and the kubelet uses this information in the form of an imagePullSecret to pull @@ -17,9 +17,10 @@ spec: rules: - name: add-imagepullsecret match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod mutate: patchStrategicMerge: spec: diff --git a/other/add-pod-proxies/add-pod-proxies.yaml b/other/add-pod-proxies/add-pod-proxies.yaml index 0d353cd46..c1970c5fb 100644 --- a/other/add-pod-proxies/add-pod-proxies.yaml +++ b/other/add-pod-proxies/add-pod-proxies.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Add Pod Proxies policies.kyverno.io/subject: Pod policies.kyverno.io/category: Sample + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- In restricted environments, Pods may not be allowed to egress directly to all destinations and some overrides to specific addresses may need to go through a corporate proxy. @@ -16,9 +17,10 @@ spec: rules: - name: add-pod-proxies match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod mutate: patchStrategicMerge: spec: diff --git a/other/add_certificates_volume/add_certificates_volume.yaml b/other/add_certificates_volume/add_certificates_volume.yaml index cb00266b4..60f6f3f70 100644 --- a/other/add_certificates_volume/add_certificates_volume.yaml +++ b/other/add_certificates_volume/add_certificates_volume.yaml @@ -6,7 +6,7 @@ metadata: policies.kyverno.io/title: Add Certificates as a Volume policies.kyverno.io/category: Sample policies.kyverno.io/subject: Pod,Volume - kyverno.io/kyverno-version: 1.5.2 + kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.21" policies.kyverno.io/minversion: 1.5.0 pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,Job,StatefulSet @@ -20,9 +20,10 @@ spec: rules: - name: add-ssl-certs match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod preconditions: all: - key: '{{request.object.metadata.annotations."inject-certs"}}' diff --git a/other/add_env_vars_from_cm/add-env-vars-from-cm.yaml b/other/add_env_vars_from_cm/add-env-vars-from-cm.yaml index f9a717edf..23ad1f520 100644 --- a/other/add_env_vars_from_cm/add-env-vars-from-cm.yaml +++ b/other/add_env_vars_from_cm/add-env-vars-from-cm.yaml @@ -4,6 +4,7 @@ metadata: name: add-env-vars-from-cm annotations: policies.kyverno.io/title: Add Environment Variables from ConfigMap + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Pod policies.kyverno.io/category: Other policies.kyverno.io/description: >- @@ -17,9 +18,10 @@ spec: rules: - name: add-env-vars-from-cm match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod mutate: patchStrategicMerge: spec: diff --git a/other/add_labels/add_labels.yaml b/other/add_labels/add_labels.yaml index 22031d1cd..d0da6e005 100644 --- a/other/add_labels/add_labels.yaml +++ b/other/add_labels/add_labels.yaml @@ -5,6 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Add Labels policies.kyverno.io/category: Sample + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Label policies.kyverno.io/description: >- @@ -16,12 +17,13 @@ spec: rules: - name: add-labels match: - resources: - kinds: - - Pod - - Service - - ConfigMap - - Secret + any: + - resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret mutate: patchStrategicMerge: metadata: diff --git a/other/add_ndots/add_ndots.yaml b/other/add_ndots/add_ndots.yaml index c2082230e..886a07709 100644 --- a/other/add_ndots/add_ndots.yaml +++ b/other/add_ndots/add_ndots.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Add ndots policies.kyverno.io/category: Sample policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- The ndots value controls where DNS lookups are first performed in a cluster and needs to be set to a lower value than the default of 5 in some cases. @@ -14,9 +15,10 @@ spec: rules: - name: add-ndots match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod mutate: patchStrategicMerge: spec: diff --git a/other/add_nodeSelector/add_nodeSelector.yaml b/other/add_nodeSelector/add_nodeSelector.yaml index e3042493d..05e71a277 100644 --- a/other/add_nodeSelector/add_nodeSelector.yaml +++ b/other/add_nodeSelector/add_nodeSelector.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Add nodeSelector policies.kyverno.io/category: Sample policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- The nodeSelector field uses labels to select the node on which a Pod can be scheduled. This can be useful when Pods have specific needs that only certain nodes in a cluster can provide. @@ -14,9 +15,10 @@ spec: rules: - name: add-nodeselector match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod # Adds the `nodeSelector` field to any Pod with two labels. mutate: patchStrategicMerge: diff --git a/other/add_node_affinity/add_node_affinity.yaml b/other/add_node_affinity/add_node_affinity.yaml index 8308ae1d5..006253fab 100644 --- a/other/add_node_affinity/add_node_affinity.yaml +++ b/other/add_node_affinity/add_node_affinity.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: Other policies.kyverno.io/severity: medium policies.kyverno.io/subject: Deployment - kyverno.io/kyverno-version: 1.5.1 + kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.21" policies.kyverno.io/description: >- Node affinity, similar to node selection, is a way to specify which node(s) on which Pods will be scheduled @@ -18,9 +18,10 @@ spec: rules: - name: add-node-affinity-deployment match: - resources: - kinds: - - Deployment + any: + - resources: + kinds: + - Deployment mutate: patchesJson6902: |- - path: "/spec/template/spec/affinity/nodeAffinity/requiredDuringSchedulingIgnoredDuringExecution/nodeSelectorTerms/-1/matchExpressions/-1" diff --git a/other/add_volume_deployment/add_volume_deployment.yaml b/other/add_volume_deployment/add_volume_deployment.yaml index ff32eca3f..f212c58b5 100644 --- a/other/add_volume_deployment/add_volume_deployment.yaml +++ b/other/add_volume_deployment/add_volume_deployment.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Add Volume to Deployment policies.kyverno.io/category: Sample policies.kyverno.io/subject: Deployment, Volume + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Some Kubernetes applications like HashiCorp Vault must perform some modifications to resources in order to invoke their specific functionality. Often times, that functionality @@ -16,9 +17,10 @@ spec: rules: - name: add-volume match: - resources: - kinds: - - Deployment + any: + - resources: + kinds: + - Deployment preconditions: any: - key: "{{request.object.spec.template.metadata.annotations.\"vault.k8s.corp.net/inject\"}}" diff --git a/other/always-pull-images/always-pull-images.yaml b/other/always-pull-images/always-pull-images.yaml index 0dfa57b8d..faca650a9 100644 --- a/other/always-pull-images/always-pull-images.yaml +++ b/other/always-pull-images/always-pull-images.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- By default, images that have already been pulled can be accessed by other Pods without re-pulling them if the name and tag are known. In multi-tenant scenarios, @@ -17,9 +18,10 @@ spec: rules: - name: always-pull-images match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod mutate: patchStrategicMerge: spec: diff --git a/other/block-pod-exec-by-namespace-label.yaml b/other/block-pod-exec-by-namespace-label.yaml index b39ffd43a..f0839578c 100644 --- a/other/block-pod-exec-by-namespace-label.yaml +++ b/other/block-pod-exec-by-namespace-label.yaml @@ -5,7 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Block Pod Exec by Namespace Label policies.kyverno.io/category: Sample - policies.kyverno.io/minversion: 1.4.2 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can @@ -17,9 +17,10 @@ spec: rules: - name: deny-exec-by-ns-label match: - resources: - kinds: - - PodExecOptions + any: + - resources: + kinds: + - PodExecOptions context: - name: nslabelexec apiCall: diff --git a/other/block-pod-exec-by-namespace.yaml b/other/block-pod-exec-by-namespace.yaml index 0989ba9b5..a350a38e2 100644 --- a/other/block-pod-exec-by-namespace.yaml +++ b/other/block-pod-exec-by-namespace.yaml @@ -5,7 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Block Pod Exec by Namespace Name policies.kyverno.io/category: Sample - policies.kyverno.io/minversion: 1.4.2 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can @@ -17,9 +17,10 @@ spec: rules: - name: deny-exec-ns-pci match: - resources: - kinds: - - PodExecOptions + any: + - resources: + kinds: + - PodExecOptions preconditions: all: - key: "{{ request.operation || 'BACKGROUND' }}" diff --git a/other/block-pod-exec-by-pod-and-container.yaml b/other/block-pod-exec-by-pod-and-container.yaml index 9200e5126..81391cd8a 100644 --- a/other/block-pod-exec-by-pod-and-container.yaml +++ b/other/block-pod-exec-by-pod-and-container.yaml @@ -5,7 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Block Pod Exec by Pod and Container policies.kyverno.io/category: Sample - policies.kyverno.io/minversion: 1.4.2 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can @@ -18,9 +18,10 @@ spec: rules: - name: deny-nginx-exec-in-myapp-maintenance match: - resources: - kinds: - - PodExecOptions + any: + - resources: + kinds: + - PodExecOptions preconditions: all: - key: "{{ request.operation || 'BACKGROUND' }}" diff --git a/other/block-pod-exec-by-pod-label.yaml b/other/block-pod-exec-by-pod-label.yaml index 53c87c9c2..00882b4cf 100644 --- a/other/block-pod-exec-by-pod-label.yaml +++ b/other/block-pod-exec-by-pod-label.yaml @@ -5,7 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Block Pod Exec by Pod Label policies.kyverno.io/category: Sample - policies.kyverno.io/minversion: 1.4.2 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can @@ -17,9 +17,10 @@ spec: rules: - name: deny-exec-by-label match: - resources: - kinds: - - PodExecOptions + any: + - resources: + kinds: + - PodExecOptions context: - name: podexeclabel apiCall: diff --git a/other/block-pod-exec-by-pod-name.yaml b/other/block-pod-exec-by-pod-name.yaml index 2ba49b69d..8660990f2 100644 --- a/other/block-pod-exec-by-pod-name.yaml +++ b/other/block-pod-exec-by-pod-name.yaml @@ -5,7 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Block Pod Exec by Pod Name policies.kyverno.io/category: Sample - policies.kyverno.io/minversion: 1.4.2 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can @@ -18,9 +18,10 @@ spec: rules: - name: deny-exec-myapp-maintenance match: - resources: - kinds: - - PodExecOptions + any: + - resources: + kinds: + - PodExecOptions preconditions: all: - key: "{{ request.operation || 'BACKGROUND' }}" diff --git a/other/check_serviceaccount/check_serviceaccount.yaml b/other/check_serviceaccount/check_serviceaccount.yaml index e36d948f4..62f22438b 100644 --- a/other/check_serviceaccount/check_serviceaccount.yaml +++ b/other/check_serviceaccount/check_serviceaccount.yaml @@ -6,7 +6,8 @@ metadata: policies.kyverno.io/title: Check ServiceAccount policies.kyverno.io/category: Sample policies.kyverno.io/subject: Pod,ServiceAccount - kyverno.io/kyverno-version: 1.5.2 + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.21" policies.kyverno.io/description: >- ServiceAccounts with privileges to create Pods may be able to do so and name @@ -19,9 +20,10 @@ spec: rules: - name: check-sa match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod preconditions: all: - key: "{{serviceAccountName}}" diff --git a/other/create_pod_antiaffinity/create_pod_antiaffinity.yaml b/other/create_pod_antiaffinity/create_pod_antiaffinity.yaml index d14f89793..accb4dcb3 100644 --- a/other/create_pod_antiaffinity/create_pod_antiaffinity.yaml +++ b/other/create_pod_antiaffinity/create_pod_antiaffinity.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Add Pod Anti-Affinity policies.kyverno.io/category: Sample policies.kyverno.io/subject: Deployment, Pod + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Applications may involve multiple replicas of the same Pod for availability as well as scale purposes, yet Kubernetes does not by default provide a solution for availability. This policy @@ -15,9 +16,10 @@ spec: rules: - name: insert-pod-antiaffinity match: - resources: - kinds: - - Deployment + any: + - resources: + kinds: + - Deployment preconditions: # This precondition selects Pods with the label `app` defined all: diff --git a/other/disable_automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml b/other/disable_automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml index b17ba7df4..6d5e4e38e 100644 --- a/other/disable_automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml +++ b/other/disable_automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml @@ -7,7 +7,8 @@ metadata: policies.kyverno.io/category: Other, EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: ServiceAccount - kyverno.io/kyverno-version: 1.5.1 + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.21" policies.kyverno.io/description: >- A new ServiceAccount called `default` is created whenever a new Namespace is created. @@ -18,11 +19,12 @@ spec: rules: - name: disable-automountserviceaccounttoken match: - resources: - kinds: - - ServiceAccount - names: - - default + any: + - resources: + kinds: + - ServiceAccount + names: + - default mutate: patchStrategicMerge: automountServiceAccountToken: false diff --git a/other/disallow_all_secrets/disallow_all_secrets.yaml b/other/disallow_all_secrets/disallow_all_secrets.yaml index 63f6b0612..d0003db16 100644 --- a/other/disallow_all_secrets/disallow_all_secrets.yaml +++ b/other/disallow_all_secrets/disallow_all_secrets.yaml @@ -7,7 +7,8 @@ metadata: policies.kyverno.io/category: Other policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Secret - kyverno.io/kyverno-version: 1.5.1 + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.21" policies.kyverno.io/description: >- Secrets often contain sensitive information which not all Pods need consume. @@ -19,9 +20,10 @@ spec: rules: - name: secrets-not-from-env match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "No Secrets from env." pattern: @@ -43,9 +45,10 @@ spec: X(secretKeyRef): "null" - name: secrets-not-from-envfrom match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "No Secrets from envFrom." pattern: @@ -64,9 +67,10 @@ spec: - X(secretRef): "null" - name: secrets-not-from-volumes match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "No Secrets from volumes." pattern: diff --git a/other/disallow_localhost_services/disallow_localhost_services.yaml b/other/disallow_localhost_services/disallow_localhost_services.yaml index 8bcf6292f..0c5123980 100644 --- a/other/disallow_localhost_services/disallow_localhost_services.yaml +++ b/other/disallow_localhost_services/disallow_localhost_services.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: Service + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- A Service of type ExternalName which points back to localhost can potentially be used to exploit vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName @@ -17,9 +18,10 @@ spec: rules: - name: no-localhost-service match: - resources: - kinds: - - Service + any: + - resources: + kinds: + - Service validate: message: "Service of type ExternalName cannot point to localhost." pattern: diff --git a/other/ensure_probes_different/ensure_probes_different.yaml b/other/ensure_probes_different/ensure_probes_different.yaml index a48e34575..f160a70be 100644 --- a/other/ensure_probes_different/ensure_probes_different.yaml +++ b/other/ensure_probes_different/ensure_probes_different.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/title: Validate Probes policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.3.6 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Liveness and readiness probes accomplish different goals, and setting both to the same @@ -19,11 +19,12 @@ spec: rules: - name: validate-probes match: - resources: - kinds: - - Deployment - - DaemonSet - - StatefulSet + any: + - resources: + kinds: + - Deployment + - DaemonSet + - StatefulSet validate: message: "Liveness and readiness probes cannot be the same." deny: diff --git a/other/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml b/other/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml index a77c36414..1a93740f8 100644 --- a/other/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml +++ b/other/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml @@ -26,9 +26,10 @@ spec: name: namespace-filters namespace: default match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod preconditions: all: - key: "{{request.object.metadata.namespace}}" diff --git a/other/imagepullpolicy-always/imagepullpolicy-always.yaml b/other/imagepullpolicy-always/imagepullpolicy-always.yaml index 3797e0697..874c8ce01 100644 --- a/other/imagepullpolicy-always/imagepullpolicy-always.yaml +++ b/other/imagepullpolicy-always/imagepullpolicy-always.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future @@ -18,9 +19,10 @@ spec: rules: - name: imagepullpolicy-always match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: >- The imagePullPolicy must be set to `Always` when the tag `latest` is used. diff --git a/other/inject_sidecar_deployment/inject_sidecar_deployment.yaml b/other/inject_sidecar_deployment/inject_sidecar_deployment.yaml index ca8d05495..03f7a07c1 100644 --- a/other/inject_sidecar_deployment/inject_sidecar_deployment.yaml +++ b/other/inject_sidecar_deployment/inject_sidecar_deployment.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Inject Sidecar Container policies.kyverno.io/category: Sample policies.kyverno.io/subject: Pod,Volume + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- The sidecar pattern is very common in Kubernetes whereby other applications can insert components via tacit modification of a submitted resource. This is, for example, @@ -16,9 +17,10 @@ spec: rules: - name: inject-sidecar match: - resources: - kinds: - - Deployment + any: + - resources: + kinds: + - Deployment mutate: patchStrategicMerge: spec: diff --git a/other/limit-hostpath-type-pv/limit_hostpath_type_pv.yaml b/other/limit-hostpath-type-pv/limit_hostpath_type_pv.yaml index 84acadddd..5aa7ec51d 100644 --- a/other/limit-hostpath-type-pv/limit_hostpath_type_pv.yaml +++ b/other/limit-hostpath-type-pv/limit_hostpath_type_pv.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Other policies.kyverno.io/severity: medium policies.kyverno.io/subject: PersistentVolume + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain @@ -18,9 +19,10 @@ spec: rules: - name: limit-hostpath-type-pv-to-slash-data match: - resources: - kinds: - - PersistentVolume + any: + - resources: + kinds: + - PersistentVolume preconditions: all: - key: "{{request.operation || 'BACKGROUND'}}" diff --git a/other/limit-hostpath-vols/limit-hostpath-vols.yaml b/other/limit-hostpath-vols/limit-hostpath-vols.yaml index fdd4e610a..814074fef 100644 --- a/other/limit-hostpath-vols/limit-hostpath-vols.yaml +++ b/other/limit-hostpath-vols/limit-hostpath-vols.yaml @@ -23,9 +23,10 @@ spec: rules: - name: limit-hostpath-to-slash-data match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod preconditions: all: - key: "{{ request.object.spec.volumes[?hostPath] | length(@) }}" diff --git a/other/limit_containers_per_pod/limit_containers_per_pod.yaml b/other/limit_containers_per_pod/limit_containers_per_pod.yaml index baed434d2..868af58e9 100644 --- a/other/limit_containers_per_pod/limit_containers_per_pod.yaml +++ b/other/limit_containers_per_pod/limit_containers_per_pod.yaml @@ -5,7 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Limit Containers per Pod policies.kyverno.io/category: Sample - policies.kyverno.io/minversion: 1.3.6 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Pods can have many different containers which @@ -19,12 +19,13 @@ spec: rules: - name: limit-containers-per-pod-controllers match: - resources: - kinds: - - Deployment - - DaemonSet - - Job - - StatefulSet + any: + - resources: + kinds: + - Deployment + - DaemonSet + - Job + - StatefulSet preconditions: all: - key: "{{request.operation || 'BACKGROUND'}}" @@ -40,9 +41,10 @@ spec: value: "4" - name: limit-containers-per-pod-bare match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod preconditions: all: - key: "{{request.operation || 'BACKGROUND'}}" @@ -58,9 +60,10 @@ spec: value: "4" - name: limit-containers-per-pod-cronjob match: - resources: - kinds: - - CronJob + any: + - resources: + kinds: + - CronJob preconditions: all: - key: "{{request.operation || 'BACKGROUND'}}" diff --git a/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml b/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml index aa504a5cf..ca7ff4887 100644 --- a/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml +++ b/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml @@ -8,7 +8,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.3.6 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Pods which have memory limits equal to requests are given a QoS class of Guaranteed which is the highest schedulable class. This policy checks that all containers in @@ -19,12 +19,13 @@ spec: rules: - name: memory-requests-equal-limits-deployment match: - resources: - kinds: - - Deployment - - DaemonSet - - StatefulSet - - Job + any: + - resources: + kinds: + - Deployment + - DaemonSet + - StatefulSet + - Job validate: message: "resources.requests.memory must be equal to resources.limits.memory" deny: @@ -35,9 +36,10 @@ spec: value: 0 - name: memory-requests-equal-limits-pod match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "resources.requests.memory must be equal to resources.limits.memory" deny: @@ -48,9 +50,10 @@ spec: value: 0 - name: memory-requests-equal-limits-cronjob match: - resources: - kinds: - - CronJob + any: + - resources: + kinds: + - CronJob validate: message: "resources.requests.memory must be equal to resources.limits.memory" deny: diff --git a/other/mitigate_log4shell/mitigate_log4shell.yaml b/other/mitigate_log4shell/mitigate_log4shell.yaml index de9491a02..38aaa2ada 100644 --- a/other/mitigate_log4shell/mitigate_log4shell.yaml +++ b/other/mitigate_log4shell/mitigate_log4shell.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Log4Shell Mitigation policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.2 + policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/category: Sample policies.kyverno.io/description: >- @@ -21,9 +22,10 @@ spec: rules: - name: add-log4shell-mitigation-initcontainers match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod mutate: patchStrategicMerge: spec: @@ -34,9 +36,10 @@ spec: value: "true" - name: add-log4shell-mitigation-containers match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod mutate: patchStrategicMerge: spec: diff --git a/other/mutate-large-termination-gps/mutate-large-termination-gps.yaml b/other/mutate-large-termination-gps/mutate-large-termination-gps.yaml index 996972912..908656b83 100644 --- a/other/mutate-large-termination-gps/mutate-large-termination-gps.yaml +++ b/other/mutate-large-termination-gps/mutate-large-termination-gps.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium kyverno.io/kyverno-version: 1.6.2 + policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- @@ -19,9 +20,10 @@ spec: rules: - name: mutate-termination-grace-period-seconds match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod preconditions: all: - key: "{{request.object.spec.terminationGracePeriodSeconds || `0` }}" diff --git a/other/pod_lifetime_annotation/enforce_pod_duration.yaml b/other/pod_lifetime_annotation/enforce_pod_duration.yaml index 006ba155e..ac14be852 100644 --- a/other/pod_lifetime_annotation/enforce_pod_duration.yaml +++ b/other/pod_lifetime_annotation/enforce_pod_duration.yaml @@ -5,7 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Enforce pod duration policies.kyverno.io/category: Sample - policies.kyverno.io/minversion: 1.4.2 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- This validation is valuable when annotations are used to define durations, @@ -17,9 +17,10 @@ spec: rules: - name: pods-lifetime match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "Pod lifetime exceeds limit of 8h" deny: diff --git a/other/prepend_image_registry/prepend_image_registry.yaml b/other/prepend_image_registry/prepend_image_registry.yaml index 2e94213bf..3d65ddbb6 100644 --- a/other/prepend_image_registry/prepend_image_registry.yaml +++ b/other/prepend_image_registry/prepend_image_registry.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: Other policies.kyverno.io/subject: Pod policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kyverno-version: 1.5.1 + kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.21" policies.kyverno.io/description: >- Pulling images from outside registries may be undesirable due to untrustworthiness diff --git a/other/protect_node_taints/protect-node-taints.yaml b/other/protect_node_taints/protect-node-taints.yaml index d0d3ccf5e..efc995a7a 100644 --- a/other/protect_node_taints/protect-node-taints.yaml +++ b/other/protect_node_taints/protect-node-taints.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Protect Node Taints policies.kyverno.io/category: Other policies.kyverno.io/subject: Node + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Node taints are often used as a control in multi-tenant use cases. If users can alter them, they may be able to affect scheduling of @@ -21,9 +22,10 @@ spec: rules: - name: protect-node-taints match: - resources: - kinds: - - Node + any: + - resources: + kinds: + - Node exclude: clusterRoles: - cluster-admin diff --git a/other/record-creation-details/record-creation-details.yaml b/other/record-creation-details/record-creation-details.yaml index 9a4d33b22..56cf7cdb6 100644 --- a/other/record-creation-details/record-creation-details.yaml +++ b/other/record-creation-details/record-creation-details.yaml @@ -18,7 +18,9 @@ metadata: This policy writes an annotation with the key `kyverno.io/created-by` having all the userInfo fields present in the AdmissionReview request for any object being created. It then protects this annotation from - tampering or removal making it immutable. + tampering or removal making it immutable. Although this policy matches on + all kinds ("*") it is highly recommend to more narrowly scope it to only + the resources which should be labeled. spec: validationFailureAction: enforce background: false diff --git a/other/require_deployments_have_multiple_replicas/require_deployments_have_multiple_replicas.yaml b/other/require_deployments_have_multiple_replicas/require_deployments_have_multiple_replicas.yaml index 8f4f8f156..bb1c38b39 100644 --- a/other/require_deployments_have_multiple_replicas/require_deployments_have_multiple_replicas.yaml +++ b/other/require_deployments_have_multiple_replicas/require_deployments_have_multiple_replicas.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: Deployment + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Deployments with a single replica cannot be highly available and thus the application may suffer downtime if that one replica goes down. This policy validates that Deployments @@ -17,9 +18,10 @@ spec: rules: - name: deployment-has-multiple-replicas match: - resources: - kinds: - - Deployment + any: + - resources: + kinds: + - Deployment validate: message: "Deployments should have more than one replica to ensure availability." pattern: diff --git a/other/require_image_checksum/require_image_checksum.yaml b/other/require_image_checksum/require_image_checksum.yaml index 5d2cc26cd..e75024622 100644 --- a/other/require_image_checksum/require_image_checksum.yaml +++ b/other/require_image_checksum/require_image_checksum.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Use of a SHA checksum when pulling an image is often preferable because tags are mutable and can be overwritten. This policy checks to ensure that all images @@ -17,9 +18,10 @@ spec: rules: - name: require-image-checksum match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "Images must use checksums rather than tags." pattern: diff --git a/other/require_netpol/require_netpol.yaml b/other/require_netpol/require_netpol.yaml index 4caccc252..87da7eb3d 100644 --- a/other/require_netpol/require_netpol.yaml +++ b/other/require_netpol/require_netpol.yaml @@ -5,7 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Require NetworkPolicy policies.kyverno.io/category: Sample - policies.kyverno.io/minversion: 1.3.6 + policies.kyverno.io/minversion: 1.6.0 kyverno.io/kyverno-version: 1.6.2 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/subject: Deployment, NetworkPolicy @@ -20,9 +20,10 @@ spec: rules: - name: require-network-policy match: - resources: - kinds: - - Deployment + any: + - resources: + kinds: + - Deployment preconditions: any: - key: "{{request.operation || 'BACKGROUND'}}" diff --git a/other/require_pdb/require_pdb.yaml b/other/require_pdb/require_pdb.yaml index 57366adbc..64d8a2acf 100644 --- a/other/require_pdb/require_pdb.yaml +++ b/other/require_pdb/require_pdb.yaml @@ -5,7 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Require PodDisruptionBudget policies.kyverno.io/category: Sample, EKS Best Practices - policies.kyverno.io/minversion: 1.3.6 + policies.kyverno.io/minversion: 1.6.0 kyverno.io/kyverno-version: 1.6.2 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/subject: Deployment, PodDisruptionBudget diff --git a/other/restrict_annotations/restrict_annotations.yaml b/other/restrict_annotations/restrict_annotations.yaml index 19b9f0536..c8bb977fa 100644 --- a/other/restrict_annotations/restrict_annotations.yaml +++ b/other/restrict_annotations/restrict_annotations.yaml @@ -5,7 +5,7 @@ metadata: annotations: policies.kyverno.io/title: Restrict Annotations policies.kyverno.io/category: Sample - policies.kyverno.io/minversion: 1.3.0 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Pod, Annotation policies.kyverno.io/description: >- Some annotations control functionality driven by other cluster-wide tools and are not @@ -19,14 +19,15 @@ spec: rules: - name: block-flux-v1 match: - resources: - kinds: - - Deployment - - CronJob - - Job - - StatefulSet - - DaemonSet - - Pod + any: + - resources: + kinds: + - Deployment + - CronJob + - Job + - StatefulSet + - DaemonSet + - Pod validate: message: Cannot use Flux v1 annotation. pattern: diff --git a/other/restrict_automount_sa_token/restrict_automount_sa_token.yaml b/other/restrict_automount_sa_token/restrict_automount_sa_token.yaml index 530a4269d..f1c735bea 100644 --- a/other/restrict_automount_sa_token/restrict_automount_sa_token.yaml +++ b/other/restrict_automount_sa_token/restrict_automount_sa_token.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Sample, EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod,ServiceAccount + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Kubernetes automatically mounts ServiceAccount credentials in each Pod. The ServiceAccount may be assigned roles allowing Pods to access API resources. @@ -19,9 +20,10 @@ spec: rules: - name: validate-automountServiceAccountToken match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod preconditions: all: - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}" diff --git a/other/restrict_controlplane_scheduling/restrict_controlplane_scheduling.yaml b/other/restrict_controlplane_scheduling/restrict_controlplane_scheduling.yaml index f6de441cc..210710e9b 100644 --- a/other/restrict_controlplane_scheduling/restrict_controlplane_scheduling.yaml +++ b/other/restrict_controlplane_scheduling/restrict_controlplane_scheduling.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Restrict control plane scheduling policies.kyverno.io/category: Sample policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Scheduling non-system Pods to control plane nodes (which run kubelet) is often undesirable because it takes away resources from the control plane components and can represent @@ -18,9 +19,10 @@ spec: rules: - name: restrict-controlplane-scheduling-master match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: Pods may not use tolerations which schedule on control plane nodes. pattern: @@ -29,9 +31,10 @@ spec: - key: "!node-role.kubernetes.io/master" - name: restrict-controlplane-scheduling-control-plane match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: Pods may not use tolerations which schedule on control plane nodes. pattern: diff --git a/other/restrict_ingress_classes/restrict_ingress_classes.yaml b/other/restrict_ingress_classes/restrict_ingress_classes.yaml index d9e4ec8ca..994eb64ee 100644 --- a/other/restrict_ingress_classes/restrict_ingress_classes.yaml +++ b/other/restrict_ingress_classes/restrict_ingress_classes.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: Ingress + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Ingress classes should only be allowed which match up to deployed Ingress controllers in the cluster. Allowing users to define classes which cannot be satisfied by a deployed @@ -20,9 +21,10 @@ spec: rules: - name: validate-ingress match: - resources: - kinds: - - Ingress + any: + - resources: + kinds: + - Ingress validate: message: "Unknown ingress class." pattern: diff --git a/other/restrict_loadbalancer/restrict_loadbalancer.yaml b/other/restrict_loadbalancer/restrict_loadbalancer.yaml index a9c87ed34..313c774c6 100644 --- a/other/restrict_loadbalancer/restrict_loadbalancer.yaml +++ b/other/restrict_loadbalancer/restrict_loadbalancer.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: Service + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Especially in cloud provider environments, a Service having type LoadBalancer will cause the provider to respond by creating a load balancer somewhere in the customer account. This adds @@ -19,9 +20,10 @@ spec: rules: - name: no-LoadBalancer match: - resources: - kinds: - - Service + any: + - resources: + kinds: + - Service validate: message: "Service of type LoadBalancer is not allowed." pattern: diff --git a/other/restrict_node_label_changes.yaml b/other/restrict_node_label_changes.yaml index e15faacbe..f0f2b2655 100644 --- a/other/restrict_node_label_changes.yaml +++ b/other/restrict_node_label_changes.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Restrict node label changes policies.kyverno.io/category: Sample policies.kyverno.io/subject: Node, Label + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Node labels are critical pieces of metadata upon which many other applications and logic may depend and should not be altered or removed by regular users. @@ -20,9 +21,10 @@ spec: rules: - name: prevent-label-value-changes match: - resources: - kinds: - - Node + any: + - resources: + kinds: + - Node validate: message: "Modifying the `foo` label on a Node is not allowed." deny: @@ -36,9 +38,10 @@ spec: value: "{{ request.oldObject.metadata.labels.foo || '' }}" - name: prevent-label-key-removal match: - resources: - kinds: - - Node + any: + - resources: + kinds: + - Node preconditions: all: - key: "{{ request.operation || 'BACKGROUND' }}" diff --git a/other/restrict_node_label_creation.yaml b/other/restrict_node_label_creation.yaml index 4c039a129..e89c7dda8 100644 --- a/other/restrict_node_label_creation.yaml +++ b/other/restrict_node_label_creation.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Restrict node label creation policies.kyverno.io/category: Sample policies.kyverno.io/subject: Node, Label + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Node labels are critical pieces of metadata upon which many other applications and logic may depend and should not be altered or removed by regular users. Many cloud @@ -21,9 +22,10 @@ spec: rules: - name: prevent-label-set match: - resources: - kinds: - - Node + any: + - resources: + kinds: + - Node preconditions: all: - key: "{{request.operation || 'BACKGROUND'}}" diff --git a/other/restrict_node_selection/restrict_node_selection.yaml b/other/restrict_node_selection/restrict_node_selection.yaml index d094bfce3..b34a2350e 100644 --- a/other/restrict_node_selection/restrict_node_selection.yaml +++ b/other/restrict_node_selection/restrict_node_selection.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Restrict node selection policies.kyverno.io/category: Sample policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- The Kubernetes scheduler uses complex logic to determine the optimal placement for new Pods. Users who have access to set certain fields in a Pod spec @@ -18,9 +19,10 @@ spec: rules: - name: restrict-nodeselector match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: Setting the nodeSelector field is prohibited. pattern: @@ -28,9 +30,10 @@ spec: X(nodeSelector): "null" - name: restrict-nodename match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: Setting the nodeName field is prohibited. pattern: diff --git a/other/restrict_pod_count_per_node/restrict_pod_count_per_node.yaml b/other/restrict_pod_count_per_node/restrict_pod_count_per_node.yaml index 708ba0d44..1b5c48869 100644 --- a/other/restrict_pod_count_per_node/restrict_pod_count_per_node.yaml +++ b/other/restrict_pod_count_per_node/restrict_pod_count_per_node.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.3.2 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Sometimes Kubernetes Nodes may have a maximum number of Pods they can accommodate due to resources outside CPU and memory such as licensing, or in some @@ -19,9 +19,10 @@ spec: rules: - name: restrict-pod-count match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod context: - name: podcounts apiCall: diff --git a/other/restrict_usergroup_fsgroup_id/restrict_usergroup_fsgroup_id.yaml b/other/restrict_usergroup_fsgroup_id/restrict_usergroup_fsgroup_id.yaml index 541345577..37f8b2878 100644 --- a/other/restrict_usergroup_fsgroup_id/restrict_usergroup_fsgroup_id.yaml +++ b/other/restrict_usergroup_fsgroup_id/restrict_usergroup_fsgroup_id.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- All processes inside a Pod can be made to run with specific user and groupID by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified @@ -18,9 +19,10 @@ spec: rules: - name: validate-userid match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "User ID should be 1000." pattern: @@ -29,9 +31,10 @@ spec: runAsUser: '1000' - name: validate-groupid match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "Group ID should be 3000." pattern: @@ -40,9 +43,10 @@ spec: runAsGroup: '3000' - name: validate-fsgroup match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "fsgroup should be 2000." pattern: diff --git a/other/spread_pods_across_topology/spread_pods_across_topology.yaml b/other/spread_pods_across_topology/spread_pods_across_topology.yaml index 88ddee5cc..4ae549e4b 100644 --- a/other/spread_pods_across_topology/spread_pods_across_topology.yaml +++ b/other/spread_pods_across_topology/spread_pods_across_topology.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Spread Pods Across Nodes policies.kyverno.io/category: Sample policies.kyverno.io/subject: Deployment, Pod + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Deployments to a Kubernetes cluster with multiple availability zones often need to distribute those replicas to align with those zones to ensure site-level failures @@ -16,12 +17,13 @@ spec: - name: spread-pods-across-nodes # Matches any Deployment with the label `distributed=required` match: - resources: - kinds: - - Deployment - selector: - matchLabels: - distributed: required + any: + - resources: + kinds: + - Deployment + selector: + matchLabels: + distributed: required # Mutates the incoming Deployment. mutate: patchStrategicMerge: diff --git a/other/sync_secrets/sync_secrets.yaml b/other/sync_secrets/sync_secrets.yaml index 2357ace27..35031d8ba 100644 --- a/other/sync_secrets/sync_secrets.yaml +++ b/other/sync_secrets/sync_secrets.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Sync Secrets policies.kyverno.io/category: Sample policies.kyverno.io/subject: Secret + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Secrets like registry credentials often need to exist in multiple Namespaces so Pods there have access. Manually duplicating those Secrets @@ -17,9 +18,10 @@ spec: rules: - name: sync-image-pull-secret match: - resources: - kinds: - - Namespace + any: + - resources: + kinds: + - Namespace generate: apiVersion: v1 kind: Secret From dd35f756e87bd40ff4a680e2685b2986e9570dc8 Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Fri, 13 Jan 2023 10:20:52 -0500 Subject: [PATCH 04/11] bump last few policies Signed-off-by: Chip Zoller --- .../limit-dnsnames/limit-dnsnames.yaml | 16 +++--- .../limit-duration/limit-duration.yaml | 16 +++--- .../restrict-issuer/restrict-issuer.yaml | 7 ++- .../enforce-min-tls-version.yaml | 55 ++++++++++--------- .../disallow_default_tlsoptions.yaml | 13 +++-- 5 files changed, 57 insertions(+), 50 deletions(-) diff --git a/cert-manager/limit-dnsnames/limit-dnsnames.yaml b/cert-manager/limit-dnsnames/limit-dnsnames.yaml index 90a967c43..93f62430e 100644 --- a/cert-manager/limit-dnsnames/limit-dnsnames.yaml +++ b/cert-manager/limit-dnsnames/limit-dnsnames.yaml @@ -6,7 +6,7 @@ metadata: policies.kyverno.io/title: Limit dnsNames policies.kyverno.io/category: Cert-Manager policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.3.6 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Certificate policies.kyverno.io/description: >- Some applications will not accept certificates containing more than a single name. @@ -18,13 +18,15 @@ spec: rules: - name: limit-dnsnames match: - resources: - kinds: - - Certificate + any: + - resources: + kinds: + - Certificate validate: message: Only one dnsNames entry allowed per certificate request. deny: conditions: - - key: "{{request.object.spec.dnsNames || `[]` | length(@)}}" - operator: GreaterThan - value: "1" \ No newline at end of file + all: + - key: "{{request.object.spec.dnsNames || `[]` | length(@)}}" + operator: GreaterThan + value: "1" \ No newline at end of file diff --git a/cert-manager/limit-duration/limit-duration.yaml b/cert-manager/limit-duration/limit-duration.yaml index aea008db4..48c47bebc 100644 --- a/cert-manager/limit-duration/limit-duration.yaml +++ b/cert-manager/limit-duration/limit-duration.yaml @@ -6,7 +6,7 @@ metadata: policies.kyverno.io/title: Certificate max duration 100 days policies.kyverno.io/category: Cert-Manager policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.3.6 + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Certificate policies.kyverno.io/description: >- Kubernetes managed non-letsencrypt certificates have to be renewed in every 100 days. @@ -16,9 +16,10 @@ spec: rules: - name: certificate-duration-max-100days match: - resources: - kinds: - - Certificate + any: + - resources: + kinds: + - Certificate preconditions: all: - key: "{{ contains(request.object.spec.issuerRef.name, 'letsencrypt') }}" @@ -31,6 +32,7 @@ spec: message: "certificate duration must be < than 2400h (100 days)" deny: conditions: - - key: "{{ max( [ to_number(regex_replace_all('h.*',request.object.spec.duration,'')), to_number('2400') ] ) }}" - operator: NotEquals - value: 2400 + all: + - key: "{{ max( [ to_number(regex_replace_all('h.*',request.object.spec.duration,'')), to_number('2400') ] ) }}" + operator: NotEquals + value: 2400 diff --git a/cert-manager/restrict-issuer/restrict-issuer.yaml b/cert-manager/restrict-issuer/restrict-issuer.yaml index f83166486..8e731a9c6 100644 --- a/cert-manager/restrict-issuer/restrict-issuer.yaml +++ b/cert-manager/restrict-issuer/restrict-issuer.yaml @@ -18,9 +18,10 @@ spec: rules: - name: restrict-corp-cert-issuer match: - resources: - kinds: - - Certificate + any: + - resources: + kinds: + - Certificate validate: message: When requesting a cert for this domain, you must use our corporate issuer. pattern: diff --git a/consul/enforce-min-tls-version/enforce-min-tls-version.yaml b/consul/enforce-min-tls-version/enforce-min-tls-version.yaml index 25e941ee5..db49a38d1 100644 --- a/consul/enforce-min-tls-version/enforce-min-tls-version.yaml +++ b/consul/enforce-min-tls-version/enforce-min-tls-version.yaml @@ -1,30 +1,31 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: enforce-min-tls-version - annotations: - policies.kyverno.io/title: Enforce Consul min TLS version - policies.kyverno.io/category: Consul - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Mesh - kyverno.io/kyverno-version: 1.8.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.24" - policies.kyverno.io/description: >- - This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer. -spec: - validationFailureAction: enforce - background: true - rules: - - name: check-for-tls-version - match: - resources: - kinds: - - Mesh - validate: - message: The minimum version of TLS is TLS v1_2 - pattern: - spec: - tls: - incoming: - tlsMinVersion: TLSv1_2 + name: enforce-min-tls-version + annotations: + policies.kyverno.io/title: Enforce Consul min TLS version + policies.kyverno.io/category: Consul + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Mesh + kyverno.io/kyverno-version: 1.8.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/description: >- + This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer. + spec: + validationFailureAction: enforce + background: true + rules: + - name: check-for-tls-version + match: + any: + - resources: + kinds: + - Mesh + validate: + message: The minimum version of TLS is TLS v1_2 + pattern: + spec: + tls: + incoming: + tlsMinVersion: TLSv1_2 diff --git a/traefik/disallow_default_tlsoptions/disallow_default_tlsoptions.yaml b/traefik/disallow_default_tlsoptions/disallow_default_tlsoptions.yaml index 691f2545f..b3bccd254 100644 --- a/traefik/disallow_default_tlsoptions/disallow_default_tlsoptions.yaml +++ b/traefik/disallow_default_tlsoptions/disallow_default_tlsoptions.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: Traefik policies.kyverno.io/severity: medium policies.kyverno.io/subject: TLSOption - kyverno.io/kyverno-version: 1.5.1 + kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.21" policies.kyverno.io/description: >- The TLSOption CustomResource sets cluster-wide TLS configuration options for Traefik when @@ -20,11 +20,12 @@ spec: rules: - name: disallow-default-tlsoptions match: - resources: - names: - - default - kinds: - - TLSOption + any: + - resources: + names: + - default + kinds: + - TLSOption exclude: clusterRoles: - cluster-admin From a879e364c4cae65850a295f6eccc86aecf2f528d Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Fri, 13 Jan 2023 10:26:07 -0500 Subject: [PATCH 05/11] fix indentation Signed-off-by: Chip Zoller --- consul/enforce-min-tls-version/enforce-min-tls-version.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul/enforce-min-tls-version/enforce-min-tls-version.yaml b/consul/enforce-min-tls-version/enforce-min-tls-version.yaml index db49a38d1..c77bec745 100644 --- a/consul/enforce-min-tls-version/enforce-min-tls-version.yaml +++ b/consul/enforce-min-tls-version/enforce-min-tls-version.yaml @@ -12,7 +12,7 @@ metadata: kyverno.io/kubernetes-version: "1.24" policies.kyverno.io/description: >- This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer. - spec: +spec: validationFailureAction: enforce background: true rules: From dc2aa508ca42bd8c70d2e26d3e65fb6f5383b21c Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Fri, 13 Jan 2023 10:46:23 -0500 Subject: [PATCH 06/11] add expiration-for-policyexceptions policy Signed-off-by: Chip Zoller --- .../expiration-for-policyexceptions.yaml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 other/expiration-for-policyexceptions/expiration-for-policyexceptions.yaml diff --git a/other/expiration-for-policyexceptions/expiration-for-policyexceptions.yaml b/other/expiration-for-policyexceptions/expiration-for-policyexceptions.yaml new file mode 100644 index 000000000..422d9640f --- /dev/null +++ b/other/expiration-for-policyexceptions/expiration-for-policyexceptions.yaml @@ -0,0 +1,47 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: expiration-for-policyexceptions + annotations: + policies.kyverno.io/title: Expiration for PolicyExceptions + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: PolicyException + kyverno.io/kyverno-version: 1.9.0 + policies.kyverno.io/minversion: 1.9.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/description: >- + In situations where Ops/Platform teams want to allow exceptions on a + temporary basis, there must be a way to remove the PolicyException once the + expiration time has been reached. After the exception is removed, the rule(s) + for which the exception is granted go back into full effect. This policy generates + a ClusterCleanupPolicy with a four hour expiration time after which the PolicyException + is deleted. It may be necessary to grant both the Kyverno as well as cleanup controller + ServiceAccounts additional permissions to operate this policy. +spec: + - name: expire-four-hours + match: + any: + - resources: + kinds: + - PolicyException + generate: + apiVersion: kyverno.io/v2alpha1 + kind: ClusterCleanupPolicy + name: polex-{{ request.namespace }}-{{ request.object.metadata.name }}-{{ random('[0-9a-z]{8}') }} + synchronize: false + data: + metadata: + labels: + kyverno.io/automated: "true" + spec: + schedule: "{{ time_add('{{ time_now_utc() }}','4h') | time_to_cron(@) }}" + match: + any: + - resources: + kinds: + - PolicyException + namespaces: + - "{{ request.namespace }}" + names: + - "{{ request.object.metadata.name }}" From e6e3c0756bf4f9e3a47d9a3cf2f786df8f7cc15c Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Fri, 13 Jan 2023 10:49:57 -0500 Subject: [PATCH 07/11] title case Signed-off-by: Chip Zoller --- other/policy-for-exceptions/policy-for-exceptions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/policy-for-exceptions/policy-for-exceptions.yaml b/other/policy-for-exceptions/policy-for-exceptions.yaml index 8c3cc3bf2..8aa8e57db 100644 --- a/other/policy-for-exceptions/policy-for-exceptions.yaml +++ b/other/policy-for-exceptions/policy-for-exceptions.yaml @@ -18,7 +18,7 @@ metadata: with these scoping best practices. These rules may be changed/removed depending on the exception practices to be implemented. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: single-policy From bf89f44d9ea361d0a97926cf5b6e33fa15d97464 Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Fri, 13 Jan 2023 10:54:37 -0500 Subject: [PATCH 08/11] add time-bound-policy Signed-off-by: Chip Zoller --- .../time-bound-policy/time-bound-policy.yaml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 other/time-bound-policy/time-bound-policy.yaml diff --git a/other/time-bound-policy/time-bound-policy.yaml b/other/time-bound-policy/time-bound-policy.yaml new file mode 100644 index 000000000..81fc251ff --- /dev/null +++ b/other/time-bound-policy/time-bound-policy.yaml @@ -0,0 +1,42 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: time-bound-policy + annotations: + policies.kyverno.io/title: Time-Bound Policy + policies.kyverno.io/category: Other + policies.kyverno.io/minversion: 1.9.0 + kyverno.io/kyverno-version: 1.9.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: ConfigMap + policies.kyverno.io/description: >- + Sometimes a policy should be active or inactive based on a time window + determined as part of the policy. Whether the policy should come into play + should be dependent on that time. This policy illustrates how to time-bound + any policy by using preconditions with JMESPath time filters. In this case, + the policy enforces that label `foo` be required on all ConfigMaps during + the hours of 8am-5pm EST (expressed in UTC). Additional, similar preconditions + may be added to perform other time checks, for example a range of days. +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-foo-on-configmaps + match: + any: + - resources: + kinds: + - ConfigMap + preconditions: + all: + # Get the hour of the current time + - key: "{{ time_now_utc().time_to_cron(@).split(@,' ') | [1].to_number(@) }}" + operator: AnyIn + # Only operate during business hours, 8am-5pm EST, in UTC + value: 13-22 + validate: + message: "The foo label must be set." + pattern: + metadata: + labels: + foo: "?*" \ No newline at end of file From a83b2d2a49b4eb8c4eb6bd8a15fb68a555fde630 Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Fri, 13 Jan 2023 11:41:25 -0500 Subject: [PATCH 09/11] add namespace-inventory-check Signed-off-by: Chip Zoller --- .../namespace-inventory-check.yaml | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 other/namespace-inventory-check/namespace-inventory-check.yaml diff --git a/other/namespace-inventory-check/namespace-inventory-check.yaml b/other/namespace-inventory-check/namespace-inventory-check.yaml new file mode 100644 index 000000000..86a1b7f3a --- /dev/null +++ b/other/namespace-inventory-check/namespace-inventory-check.yaml @@ -0,0 +1,78 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: namespace-inventory-check + annotations: + policies.kyverno.io/title: Namespace Inventory Check + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Namespace + kyverno.io/kyverno-version: 1.9.0 + policies.kyverno.io/minversion: 1.9.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/description: >- + In cases such as multi-tenancy where new Namespaces must be fully + provisioned before they can be used, it may not be easy to declare and + understand if/when the Namespace is ready. Having a policy which defines + all the resources which are required for each Namespace can assist in determining + compliance. This policy, expected to be run in background mode only, performs a Namespace + inventory check to ensure that all Namespaces have a ResourceQuota and NetworkPolicy. + Additional rules may be written to extend the check for your needs. By default, background + scans occur every one hour which may be changed with an additional container flag. Please + see the installation documentation for details. +spec: + background: true + validationFailureAction: Audit + rules: + - name: resourcequotas + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - kube-public + - kube-node-lease + context: + - name: resourcequotas + apiCall: + urlPath: "/api/v1/namespaces/{{request.object.metadata.name}}/resourcequotas" + jmesPath: "items[] | length(@)" + validate: + message: "Every Namespace must have at least one ResourceQuota." + deny: + conditions: + all: + - key: "{{ resourcequotas }}" + operator: Equals + value: 0 + - name: networkpolicies + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - kube-public + - kube-node-lease + context: + - name: netpols + apiCall: + urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.object.metadata.name}}/networkpolicies" + jmesPath: "items[] | length(@)" + validate: + message: "Every Namespace must have at least one NetworkPolicy." + deny: + conditions: + all: + - key: "{{ netpols }}" + operator: Equals + value: 0 \ No newline at end of file From 49a9f256efed53fe21004836cfe30151529888ae Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Fri, 13 Jan 2023 15:00:35 -0500 Subject: [PATCH 10/11] add refresh-volumes-in-pods Signed-off-by: Chip Zoller --- .../refresh-volumes-in-pods.yaml | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 other/refresh-volumes-in-pods/refresh-volumes-in-pods.yaml diff --git a/other/refresh-volumes-in-pods/refresh-volumes-in-pods.yaml b/other/refresh-volumes-in-pods/refresh-volumes-in-pods.yaml new file mode 100644 index 000000000..5285a68a1 --- /dev/null +++ b/other/refresh-volumes-in-pods/refresh-volumes-in-pods.yaml @@ -0,0 +1,53 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: refresh-volumes-in-pods + annotations: + policies.kyverno.io/title: Refresh Volumes in Pods + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod,ConfigMap + kyverno.io/kyverno-version: 1.9.0 + policies.kyverno.io/minversion: 1.9.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/description: >- + Although ConfigMaps and Secrets mounted as volumes to a Pod, when the contents change, + will eventually propagate to the Pods mounting them, this process may take between 60-90 seconds. + In order to reduce that time, a modification made to downstream Pods will cause the changes + to take effect almost instantly. This policy watches for changes to ConfigMaps which have been + marked for this quick reloading process which contain the label `kyverno.io/watch=true` and + will write an annotation to any Pods which mount them as volumes causing a fast refresh in their + contents. See the related policy entitled "Refresh Environment Variables in Pods" for a similar + reloading process when ConfigMaps and Secrets are consumed as environment variables instead. + Use of this policy may require providing the Kyverno ServiceAccount with permission + to update Pods. +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: refresh-from-configmap-volume + match: + any: + - resources: + kinds: + - ConfigMap + selector: + matchLabels: + kyverno.io/watch: "true" + preconditions: + all: + - key: "{{ request.operation }}" + operator: Equals + value: UPDATE + mutate: + targets: + - apiVersion: v1 + kind: Pod + namespace: "{{ request.namespace }}" + patchStrategicMerge: + metadata: + annotations: + corp.org/random: "{{ random('[0-9a-z]{8}') }}" + spec: + volumes: + - configMap: + <(name): "{{ request.object.metadata.name }}" \ No newline at end of file From 1e7c4fe24d0a71d05ff014583d0456cb010264b4 Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Fri, 13 Jan 2023 15:00:45 -0500 Subject: [PATCH 11/11] add refresh-env-var-in-pods Signed-off-by: Chip Zoller --- .../refresh-env-var-in-pod.yaml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 other/refresh-env-var-in-pod/refresh-env-var-in-pod.yaml diff --git a/other/refresh-env-var-in-pod/refresh-env-var-in-pod.yaml b/other/refresh-env-var-in-pod/refresh-env-var-in-pod.yaml new file mode 100644 index 000000000..8d077b415 --- /dev/null +++ b/other/refresh-env-var-in-pod/refresh-env-var-in-pod.yaml @@ -0,0 +1,56 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: refresh-env-var-in-pods + annotations: + policies.kyverno.io/title: Refresh Environment Variables in Pods + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod,Deployment,Secret + kyverno.io/kyverno-version: 1.9.0 + policies.kyverno.io/minversion: 1.9.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/description: >- + When Pods consume Secrets or ConfigMaps through environment variables, should the contents + of those source resources change, the downstream Pods are normally not aware of them. In order + for the changes to be reflected, Pods must either restart or be respawned. This policy watches + for changes to Secrets which have been marked for this refreshing process which contain the label + `kyverno.io/watch=true` and will write an annotation to any Deployment Pod template which consume + them as env vars. This will result in a new rollout of Pods which will pick up the changed values. + See the related policy entitled "Refresh Volumes in Pods" for a similar reloading process when ConfigMaps + and Secrets are consumed as volumes instead. Use of this policy may require providing the Kyverno ServiceAccount + with permission to update Deployments. +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: refresh-from-secret-env + match: + any: + - resources: + kinds: + - Secret + selector: + matchLabels: + kyverno.io/watch: "true" + preconditions: + all: + - key: "{{request.operation}}" + operator: Equals + value: UPDATE + mutate: + targets: + - apiVersion: apps/v1 + kind: Deployment + namespace: "{{request.namespace}}" + patchStrategicMerge: + spec: + template: + metadata: + annotations: + corp.org/random: "{{ random('[0-9a-z]{8}') }}" + spec: + containers: + - env: + - valueFrom: + secretKeyRef: + <(name): "{{ request.object.metadata.name }}" \ No newline at end of file