-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feature/global-policy-set : upgrade version for test
- Loading branch information
1 parent
e4b1e97
commit b20f5d6
Showing
6 changed files
with
199 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
46 changes: 46 additions & 0 deletions
46
charts/test-krish-globalps/pols/disallow-capabilities.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: disallow-capabilities | ||
| annotations: | ||
| policies.kyverno.io/title: Disallow Capabilities | ||
| policies.kyverno.io/category: Pod Security Standards (Baseline) | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/minversion: 1.6.0 | ||
| kyverno.io/kubernetes-version: "1.22-1.23" | ||
| policies.kyverno.io/subject: Pod | ||
| policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-capabilities/" | ||
| policies.kyverno.io/description: >- | ||
| Adding capabilities beyond those listed in the policy must be disallowed. | ||
| spec: | ||
| validationFailureAction: Audit | ||
| background: true | ||
| rules: | ||
| - name: adding-capabilities | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Pod | ||
| validate: | ||
| message: >- | ||
| Adding capabilities beyond those listed in the policy rule is disallowed. | ||
| deny: | ||
| conditions: | ||
| all: | ||
| - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}" | ||
| operator: AnyNotIn | ||
| value: | ||
| - AUDIT_WRITE | ||
| - CHOWN | ||
| - DAC_OVERRIDE | ||
| - FOWNER | ||
| - FSETID | ||
| - KILL | ||
| - MKNOD | ||
| - NET_BIND_SERVICE | ||
| - SETFCAP | ||
| - SETGID | ||
| - SETPCAP | ||
| - SETUID | ||
| - SYS_CHROOT |
35 changes: 35 additions & 0 deletions
35
charts/test-krish-globalps/pols/disallow-host-namespaces.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: disallow-host-namespaces | ||
| annotations: | ||
| policies.kyverno.io/title: Disallow Host Namespaces | ||
| policies.kyverno.io/category: Pod Security Standards (Baseline) | ||
| policies.kyverno.io/severity: medium | ||
| kyverno.io/kubernetes-version: "1.22-1.23" | ||
| policies.kyverno.io/subject: Pod | ||
| policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/" | ||
| policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-namespaces/remediate-disallow-host-namespaces.yaml" | ||
| policies.kyverno.io/description: >- | ||
| Host namespaces (Process ID namespace, Inter-Process Communication namespace, and | ||
| network namespace) allow access to shared information and can be used to elevate | ||
| privileges. Pods should not be allowed access to host namespaces. This policy ensures | ||
| fields which make use of these host namespaces are unset or set to `false`. | ||
| spec: | ||
| validationFailureAction: Audit | ||
| background: true | ||
| rules: | ||
| - name: host-namespaces | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Pod | ||
| validate: | ||
| message: >- | ||
| Sharing the host namespaces is disallowed. | ||
| pattern: | ||
| spec: | ||
| =(hostPID): "false" | ||
| =(hostIPC): "false" | ||
| =(hostNetwork): "false" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: disallow-host-path | ||
| annotations: | ||
| policies.kyverno.io/title: Disallow hostPath | ||
| policies.kyverno.io/category: Pod Security Standards (Baseline) | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/subject: Pod,Volume | ||
| kyverno.io/kubernetes-version: "1.22-1.23" | ||
| policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-path/" | ||
| policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-path/remediate-disallow-host-path.yaml" | ||
| policies.kyverno.io/description: >- | ||
| HostPath volumes let Pods use host directories and volumes in containers. | ||
| Using host resources can be used to access shared data or escalate privileges | ||
| and should not be allowed. This policy ensures no hostPath volumes are in use. | ||
| spec: | ||
| validationFailureAction: Audit | ||
| background: true | ||
| rules: | ||
| - name: host-path | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Pod | ||
| validate: | ||
| message: >- | ||
| HostPath volumes are forbidden. | ||
| pattern: | ||
| spec: | ||
| =(volumes): | ||
| - X(hostPath): "null" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: disallow-host-ports | ||
| annotations: | ||
| policies.kyverno.io/title: Disallow hostPorts | ||
| policies.kyverno.io/category: Pod Security Standards (Baseline) | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/subject: Pod | ||
| kyverno.io/kubernetes-version: "1.22-1.23" | ||
| policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-ports/" | ||
| policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-ports/remediate-disallow-host-ports.yaml" | ||
| policies.kyverno.io/description: >- | ||
| Access to host ports allows potential snooping of network traffic and should not be | ||
| allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` | ||
| field is unset or set to `0`. | ||
| spec: | ||
| validationFailureAction: Audit | ||
| background: true | ||
| rules: | ||
| - name: host-ports-none | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Pod | ||
| validate: | ||
| message: >- | ||
| Use of host ports is disallowed. | ||
| pattern: | ||
| spec: | ||
| =(ephemeralContainers): | ||
| - =(ports): | ||
| - =(hostPort): 0 | ||
| =(initContainers): | ||
| - =(ports): | ||
| - =(hostPort): 0 | ||
| containers: | ||
| - =(ports): | ||
| - =(hostPort): 0 |
44 changes: 44 additions & 0 deletions
44
charts/test-krish-globalps/pols/disallow-host-process.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: disallow-host-process | ||
| annotations: | ||
| policies.kyverno.io/title: Disallow hostProcess | ||
| policies.kyverno.io/category: Pod Security Standards (Baseline) | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/subject: Pod | ||
| kyverno.io/kubernetes-version: "1.22-1.23" | ||
| policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-process/" | ||
| policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-process/remediate-disallow-host-process.yaml" | ||
| policies.kyverno.io/description: >- | ||
| Windows pods offer the ability to run HostProcess containers which enables privileged | ||
| access to the Windows node. Privileged access to the host is disallowed in the baseline | ||
| policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures | ||
| the `hostProcess` field, if present, is set to `false`. | ||
| spec: | ||
| validationFailureAction: Audit | ||
| background: true | ||
| rules: | ||
| - name: host-process-containers | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Pod | ||
| validate: | ||
| message: >- | ||
| HostProcess containers are disallowed. | ||
| pattern: | ||
| spec: | ||
| =(ephemeralContainers): | ||
| - =(securityContext): | ||
| =(windowsOptions): | ||
| =(hostProcess): "false" | ||
| =(initContainers): | ||
| - =(securityContext): | ||
| =(windowsOptions): | ||
| =(hostProcess): "false" | ||
| containers: | ||
| - =(securityContext): | ||
| =(windowsOptions): | ||
| =(hostProcess): "false" |