From d642d96280f3fd844f3dd675054c68548030eea6 Mon Sep 17 00:00:00 2001 From: Anusha Hegde Date: Thu, 8 Jun 2023 20:01:29 +0530 Subject: [PATCH] Release updates for PSS standard (#70) * Release updates for PSS standard - update baseline and restricted profile templates - remove restrict-host-ports-range policy as it is redundant when restrict-host-ports is used * Fix indentation --- charts/pod-security-baseline/Chart.yaml | 2 +- .../pols/disallow-capabilities.yaml | 48 - .../pols/disallow-host-ports-range.yaml | 35 - .../templates/club-pols.yaml | 4 - .../templates/disallow-capabilities.yaml | 49 + .../disallow-host-namespaces.yaml | 7 +- .../disallow-host-path.yaml | 7 +- .../disallow-host-ports.yaml | 9 +- .../disallow-host-process.yaml | 7 +- .../disallow-privileged-containers.yaml | 7 +- .../disallow-proc-mount.yaml | 7 +- .../{pols => templates}/disallow-selinux.yaml | 13 +- .../restrict-apparmor-profiles.yaml | 7 +- .../{pols => templates}/restrict-seccomp.yaml | 27 +- .../{pols => templates}/restrict-sysctls.yaml | 7 +- charts/pod-security-restricted/Chart.yaml | 2 +- .../templates/club-pols.yaml | 4 - .../disallow-capabilities-strict.yaml | 41 +- .../disallow-privilege-escalation.yaml | 19 +- .../require-run-as-non-root-user.yaml | 19 +- .../require-run-as-nonroot.yaml | 49 +- .../restrict-seccomp-strict.yaml | 61 +- .../restrict-volume-types.yaml | 27 +- .../disallow-host-ports-range.yaml | 36 - .../kyverno-test.yaml | 312 ---- .../disallow-host-ports-range/resource.yaml | 1332 ----------------- pod-security/charts/.helmignore | 2 - pod-security/charts/Chart.yaml | 23 - pod-security/charts/README.md | 88 -- pod-security/charts/README.md.gotmpl | 65 - pod-security/charts/ci/default-values.yaml | 2 - .../charts/ci/test-autogen-none-values.yaml | 2 - .../charts/ci/test-preconditions-values.yaml | 19 - pod-security/charts/ci/test-rule-values.yaml | 25 - pod-security/charts/ci/test-values.yaml | 31 - pod-security/charts/templates/NOTES.txt | 10 - pod-security/charts/templates/_helpers.tpl | 84 -- .../baseline/disallow-capabilities.yaml | 74 - .../baseline/disallow-host-namespaces.yaml | 60 - .../baseline/disallow-host-path.yaml | 57 - .../baseline/disallow-host-ports.yaml | 66 - .../baseline/disallow-host-process.yaml | 71 - .../disallow-privileged-containers.yaml | 64 - .../baseline/disallow-proc-mount.yaml | 68 - .../templates/baseline/disallow-selinux.yaml | 115 -- .../baseline/restrict-apparmor-profiles.yaml | 61 - .../templates/baseline/restrict-seccomp.yaml | 75 - .../templates/baseline/restrict-sysctls.yaml | 65 - .../other/require-non-root-groups.yaml | 122 -- .../disallow-capabilities-strict.yaml | 123 -- .../disallow-privilege-escalation.yaml | 67 - .../require-run-as-non-root-user.yaml | 68 - .../restricted/require-run-as-nonroot.yaml | 79 - .../restricted/restrict-seccomp-strict.yaml | 90 -- .../restricted/restrict-volume-types.yaml | 72 - pod-security/charts/values.yaml | 102 -- 56 files changed, 216 insertions(+), 3772 deletions(-) delete mode 100644 charts/pod-security-baseline/pols/disallow-capabilities.yaml delete mode 100644 charts/pod-security-baseline/pols/disallow-host-ports-range.yaml delete mode 100644 charts/pod-security-baseline/templates/club-pols.yaml create mode 100644 charts/pod-security-baseline/templates/disallow-capabilities.yaml rename charts/pod-security-baseline/{pols => templates}/disallow-host-namespaces.yaml (86%) rename charts/pod-security-baseline/{pols => templates}/disallow-host-path.yaml (84%) rename charts/pod-security-baseline/{pols => templates}/disallow-host-ports.yaml (85%) rename charts/pod-security-baseline/{pols => templates}/disallow-host-process.yaml (90%) rename charts/pod-security-baseline/{pols => templates}/disallow-privileged-containers.yaml (87%) rename charts/pod-security-baseline/{pols => templates}/disallow-proc-mount.yaml (89%) rename charts/pod-security-baseline/{pols => templates}/disallow-selinux.yaml (92%) rename charts/pod-security-baseline/{pols => templates}/restrict-apparmor-profiles.yaml (87%) rename charts/pod-security-baseline/{pols => templates}/restrict-seccomp.yaml (68%) rename charts/pod-security-baseline/{pols => templates}/restrict-sysctls.yaml (89%) delete mode 100644 charts/pod-security-restricted/templates/club-pols.yaml rename charts/pod-security-restricted/{pols => templates}/disallow-capabilities-strict.yaml (62%) rename charts/pod-security-restricted/{pols => templates}/disallow-privilege-escalation.yaml (73%) rename charts/pod-security-restricted/{pols => templates}/require-run-as-non-root-user.yaml (75%) rename charts/pod-security-restricted/{pols => templates}/require-run-as-nonroot.yaml (57%) rename charts/pod-security-restricted/{pols => templates}/restrict-seccomp-strict.yaml (54%) rename charts/pod-security-restricted/{pols => templates}/restrict-volume-types.yaml (73%) delete mode 100644 pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml delete mode 100644 pod-security/baseline/disallow-host-ports-range/kyverno-test.yaml delete mode 100644 pod-security/baseline/disallow-host-ports-range/resource.yaml delete mode 100644 pod-security/charts/.helmignore delete mode 100644 pod-security/charts/Chart.yaml delete mode 100644 pod-security/charts/README.md delete mode 100644 pod-security/charts/README.md.gotmpl delete mode 100644 pod-security/charts/ci/default-values.yaml delete mode 100644 pod-security/charts/ci/test-autogen-none-values.yaml delete mode 100644 pod-security/charts/ci/test-preconditions-values.yaml delete mode 100644 pod-security/charts/ci/test-rule-values.yaml delete mode 100644 pod-security/charts/ci/test-values.yaml delete mode 100644 pod-security/charts/templates/NOTES.txt delete mode 100644 pod-security/charts/templates/_helpers.tpl delete mode 100644 pod-security/charts/templates/baseline/disallow-capabilities.yaml delete mode 100644 pod-security/charts/templates/baseline/disallow-host-namespaces.yaml delete mode 100644 pod-security/charts/templates/baseline/disallow-host-path.yaml delete mode 100644 pod-security/charts/templates/baseline/disallow-host-ports.yaml delete mode 100644 pod-security/charts/templates/baseline/disallow-host-process.yaml delete mode 100644 pod-security/charts/templates/baseline/disallow-privileged-containers.yaml delete mode 100644 pod-security/charts/templates/baseline/disallow-proc-mount.yaml delete mode 100644 pod-security/charts/templates/baseline/disallow-selinux.yaml delete mode 100644 pod-security/charts/templates/baseline/restrict-apparmor-profiles.yaml delete mode 100644 pod-security/charts/templates/baseline/restrict-seccomp.yaml delete mode 100644 pod-security/charts/templates/baseline/restrict-sysctls.yaml delete mode 100644 pod-security/charts/templates/other/require-non-root-groups.yaml delete mode 100644 pod-security/charts/templates/restricted/disallow-capabilities-strict.yaml delete mode 100644 pod-security/charts/templates/restricted/disallow-privilege-escalation.yaml delete mode 100644 pod-security/charts/templates/restricted/require-run-as-non-root-user.yaml delete mode 100644 pod-security/charts/templates/restricted/require-run-as-nonroot.yaml delete mode 100644 pod-security/charts/templates/restricted/restrict-seccomp-strict.yaml delete mode 100644 pod-security/charts/templates/restricted/restrict-volume-types.yaml delete mode 100644 pod-security/charts/values.yaml diff --git a/charts/pod-security-baseline/Chart.yaml b/charts/pod-security-baseline/Chart.yaml index 70692068..b02d88fe 100644 --- a/charts/pod-security-baseline/Chart.yaml +++ b/charts/pod-security-baseline/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: pss-baseline-policies description: Pod Security Standards (baseline) policy set type: application -version: 0.1.1 +version: 0.2.0 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/pod-security-baseline/pols/disallow-capabilities.yaml b/charts/pod-security-baseline/pols/disallow-capabilities.yaml deleted file mode 100644 index 21f2c426..00000000 --- a/charts/pod-security-baseline/pols/disallow-capabilities.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-capabilities - annotations: - policies.kyverno.io/title: Disallow Capabilities - policies.kyverno.io/category: Pod Security Standards (Baseline) - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Adding capabilities beyond those listed in the policy must be disallowed. -spec: - validationFailureAction: audit - background: true - rules: - - name: adding-capabilities - match: - any: - - resources: - kinds: - - Pod - validate: - message: >- - Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, - FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) - are disallowed. - deny: - conditions: - all: - - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}" - operator: AnyNotIn - value: - - AUDIT_WRITE - - CHOWN - - DAC_OVERRIDE - - FOWNER - - FSETID - - KILL - - MKNOD - - NET_BIND_SERVICE - - SETFCAP - - SETGID - - SETPCAP - - SETUID - - SYS_CHROOT diff --git a/charts/pod-security-baseline/pols/disallow-host-ports-range.yaml b/charts/pod-security-baseline/pols/disallow-host-ports-range.yaml deleted file mode 100644 index 5f8ecb50..00000000 --- a/charts/pod-security-baseline/pols/disallow-host-ports-range.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-host-ports-range - annotations: - policies.kyverno.io/title: Disallow hostPorts Range (Alternate) - policies.kyverno.io/category: Pod Security Standards (Baseline) - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.kyverno.io/description: >- - Access to host ports allows potential snooping of network traffic and should not be - allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` - field is set to one in the designated list. -spec: - validationFailureAction: audit - background: true - rules: - - name: host-port-range - match: - any: - - resources: - kinds: - - Pod - validate: - message: >- - The only permitted hostPorts are in the range 5000-6000. - deny: - conditions: - all: - - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].ports[].hostPort }}" - operator: AnyNotIn - value: 5000-6000 diff --git a/charts/pod-security-baseline/templates/club-pols.yaml b/charts/pod-security-baseline/templates/club-pols.yaml deleted file mode 100644 index c3c51aa7..00000000 --- a/charts/pod-security-baseline/templates/club-pols.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{ range $path, $_ := .Files.Glob "pols/**.yaml" }} -{{ $.Files.Get $path }} ---- -{{ end }} diff --git a/charts/pod-security-baseline/templates/disallow-capabilities.yaml b/charts/pod-security-baseline/templates/disallow-capabilities.yaml new file mode 100644 index 00000000..aa03a4e9 --- /dev/null +++ b/charts/pod-security-baseline/templates/disallow-capabilities.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities + annotations: + policies.kyverno.io/title: Disallow Capabilities + policies.kyverno.io/category: Pod Security Standards (Baseline) + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-capabilities/" + policies.kyverno.io/description: >- + Adding capabilities beyond those listed in the policy must be disallowed. +spec: + validationFailureAction: audit + background: true + rules: + - name: adding-capabilities + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, + FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) + are disallowed. + deny: + conditions: + all: + - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}" + operator: AnyNotIn + value: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT diff --git a/charts/pod-security-baseline/pols/disallow-host-namespaces.yaml b/charts/pod-security-baseline/templates/disallow-host-namespaces.yaml similarity index 86% rename from charts/pod-security-baseline/pols/disallow-host-namespaces.yaml rename to charts/pod-security-baseline/templates/disallow-host-namespaces.yaml index 27eae3a6..24ed756c 100644 --- a/charts/pod-security-baseline/pols/disallow-host-namespaces.yaml +++ b/charts/pod-security-baseline/templates/disallow-host-namespaces.yaml @@ -9,6 +9,7 @@ metadata: kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.kyverno.io/subject: Pod + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/" policies.kyverno.io/description: >- Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate @@ -21,9 +22,9 @@ spec: - name: host-namespaces match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Sharing the host namespaces is disallowed. The fields spec.hostNetwork, diff --git a/charts/pod-security-baseline/pols/disallow-host-path.yaml b/charts/pod-security-baseline/templates/disallow-host-path.yaml similarity index 84% rename from charts/pod-security-baseline/pols/disallow-host-path.yaml rename to charts/pod-security-baseline/templates/disallow-host-path.yaml index 90181aab..bd59a1ad 100644 --- a/charts/pod-security-baseline/pols/disallow-host-path.yaml +++ b/charts/pod-security-baseline/templates/disallow-host-path.yaml @@ -9,6 +9,7 @@ metadata: policies.kyverno.io/subject: Pod,Volume kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-path/" policies.kyverno.io/description: >- HostPath volumes let Pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges @@ -20,9 +21,9 @@ spec: - name: host-path match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. diff --git a/charts/pod-security-baseline/pols/disallow-host-ports.yaml b/charts/pod-security-baseline/templates/disallow-host-ports.yaml similarity index 85% rename from charts/pod-security-baseline/pols/disallow-host-ports.yaml rename to charts/pod-security-baseline/templates/disallow-host-ports.yaml index d0ed4bf2..01995e72 100644 --- a/charts/pod-security-baseline/pols/disallow-host-ports.yaml +++ b/charts/pod-security-baseline/templates/disallow-host-ports.yaml @@ -9,10 +9,11 @@ metadata: policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-ports/" policies.kyverno.io/description: >- Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` - field is unset or set to `0`. + field is unset or set to `0`. spec: validationFailureAction: audit background: true @@ -20,9 +21,9 @@ spec: - name: host-ports-none match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort diff --git a/charts/pod-security-baseline/pols/disallow-host-process.yaml b/charts/pod-security-baseline/templates/disallow-host-process.yaml similarity index 90% rename from charts/pod-security-baseline/pols/disallow-host-process.yaml rename to charts/pod-security-baseline/templates/disallow-host-process.yaml index b1e88e92..04674297 100644 --- a/charts/pod-security-baseline/pols/disallow-host-process.yaml +++ b/charts/pod-security-baseline/templates/disallow-host-process.yaml @@ -9,6 +9,7 @@ metadata: policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-process/" policies.kyverno.io/description: >- Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline @@ -21,9 +22,9 @@ spec: - name: host-process-containers match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess, diff --git a/charts/pod-security-baseline/pols/disallow-privileged-containers.yaml b/charts/pod-security-baseline/templates/disallow-privileged-containers.yaml similarity index 87% rename from charts/pod-security-baseline/pols/disallow-privileged-containers.yaml rename to charts/pod-security-baseline/templates/disallow-privileged-containers.yaml index a09b8917..b5f448c5 100644 --- a/charts/pod-security-baseline/pols/disallow-privileged-containers.yaml +++ b/charts/pod-security-baseline/templates/disallow-privileged-containers.yaml @@ -9,6 +9,7 @@ metadata: policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-privileged-containers/" policies.kyverno.io/description: >- Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode. @@ -19,9 +20,9 @@ spec: - name: privileged-containers match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged diff --git a/charts/pod-security-baseline/pols/disallow-proc-mount.yaml b/charts/pod-security-baseline/templates/disallow-proc-mount.yaml similarity index 89% rename from charts/pod-security-baseline/pols/disallow-proc-mount.yaml rename to charts/pod-security-baseline/templates/disallow-proc-mount.yaml index aeb74f07..764d2354 100644 --- a/charts/pod-security-baseline/pols/disallow-proc-mount.yaml +++ b/charts/pod-security-baseline/templates/disallow-proc-mount.yaml @@ -9,6 +9,7 @@ metadata: policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-proc-mount/" policies.kyverno.io/description: >- The default /proc masks are set up to reduce attack surface and should be required. This policy ensures nothing but the default procMount can be specified. Note that in order for users @@ -21,9 +22,9 @@ spec: - name: check-proc-mount match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Changing the proc mount from the default is not allowed. The fields diff --git a/charts/pod-security-baseline/pols/disallow-selinux.yaml b/charts/pod-security-baseline/templates/disallow-selinux.yaml similarity index 92% rename from charts/pod-security-baseline/pols/disallow-selinux.yaml rename to charts/pod-security-baseline/templates/disallow-selinux.yaml index fa3f19d8..cbc97506 100644 --- a/charts/pod-security-baseline/pols/disallow-selinux.yaml +++ b/charts/pod-security-baseline/templates/disallow-selinux.yaml @@ -9,6 +9,7 @@ metadata: policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-selinux/" policies.kyverno.io/description: >- SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined. @@ -19,9 +20,9 @@ spec: - name: selinux-type match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Setting the SELinux type is restricted. The fields @@ -48,9 +49,9 @@ spec: - name: selinux-user-role match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Setting the SELinux user or role is forbidden. The fields diff --git a/charts/pod-security-baseline/pols/restrict-apparmor-profiles.yaml b/charts/pod-security-baseline/templates/restrict-apparmor-profiles.yaml similarity index 87% rename from charts/pod-security-baseline/pols/restrict-apparmor-profiles.yaml rename to charts/pod-security-baseline/templates/restrict-apparmor-profiles.yaml index 84194c67..2a56f167 100644 --- a/charts/pod-security-baseline/pols/restrict-apparmor-profiles.yaml +++ b/charts/pod-security-baseline/templates/restrict-apparmor-profiles.yaml @@ -10,6 +10,7 @@ metadata: policies.kyverno.io/minversion: 1.3.0 kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-apparmor-profiles/" policies.kyverno.io/description: >- On supported hosts, the 'runtime/default' AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict @@ -22,9 +23,9 @@ spec: - name: app-armor match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Specifying other AppArmor profiles is disallowed. The annotation diff --git a/charts/pod-security-baseline/pols/restrict-seccomp.yaml b/charts/pod-security-baseline/templates/restrict-seccomp.yaml similarity index 68% rename from charts/pod-security-baseline/pols/restrict-seccomp.yaml rename to charts/pod-security-baseline/templates/restrict-seccomp.yaml index 2fd176dc..a6c01962 100644 --- a/charts/pod-security-baseline/pols/restrict-seccomp.yaml +++ b/charts/pod-security-baseline/templates/restrict-seccomp.yaml @@ -9,6 +9,7 @@ metadata: policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-seccomp/" policies.kyverno.io/description: >- The seccomp profile must not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is unset or @@ -20,9 +21,9 @@ spec: - name: check-seccomp match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Use of custom Seccomp profiles is disallowed. The fields @@ -35,16 +36,16 @@ spec: spec: =(securityContext): =(seccompProfile): - =(type): "RuntimeDefault | Localhost" + =(type): "RuntimeDefault | Localhost" =(ephemeralContainers): - - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" =(initContainers): - - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" containers: - - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" diff --git a/charts/pod-security-baseline/pols/restrict-sysctls.yaml b/charts/pod-security-baseline/templates/restrict-sysctls.yaml similarity index 89% rename from charts/pod-security-baseline/pols/restrict-sysctls.yaml rename to charts/pod-security-baseline/templates/restrict-sysctls.yaml index 6b309beb..fc4472a6 100644 --- a/charts/pod-security-baseline/pols/restrict-sysctls.yaml +++ b/charts/pod-security-baseline/templates/restrict-sysctls.yaml @@ -9,6 +9,7 @@ metadata: policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-sysctls/" policies.kyverno.io/description: >- Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A @@ -23,9 +24,9 @@ spec: - name: check-sysctls match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Setting additional sysctls above the allowed type is disallowed. diff --git a/charts/pod-security-restricted/Chart.yaml b/charts/pod-security-restricted/Chart.yaml index 260885f0..9e2ff382 100644 --- a/charts/pod-security-restricted/Chart.yaml +++ b/charts/pod-security-restricted/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: pss-restricted-policies description: Pod Security Standards (restricted) policy set type: application -version: 0.1.1 +version: 0.2.0 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/pod-security-restricted/templates/club-pols.yaml b/charts/pod-security-restricted/templates/club-pols.yaml deleted file mode 100644 index c3c51aa7..00000000 --- a/charts/pod-security-restricted/templates/club-pols.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{ range $path, $_ := .Files.Glob "pols/**.yaml" }} -{{ $.Files.Get $path }} ---- -{{ end }} diff --git a/charts/pod-security-restricted/pols/disallow-capabilities-strict.yaml b/charts/pod-security-restricted/templates/disallow-capabilities-strict.yaml similarity index 62% rename from charts/pod-security-restricted/pols/disallow-capabilities-strict.yaml rename to charts/pod-security-restricted/templates/disallow-capabilities-strict.yaml index 7492aa18..bfa6a9dd 100644 --- a/charts/pod-security-restricted/pols/disallow-capabilities-strict.yaml +++ b/charts/pod-security-restricted/templates/disallow-capabilities-strict.yaml @@ -10,6 +10,7 @@ metadata: kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.kyverno.io/subject: Pod + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-capabilities-strict/" policies.kyverno.io/description: >- Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. @@ -20,14 +21,14 @@ spec: - name: require-drop-all match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod preconditions: all: - - key: "{{ request.operation || 'BACKGROUND' }}" - operator: NotEquals - value: DELETE + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: message: >- Containers must drop `ALL` capabilities. @@ -36,20 +37,20 @@ spec: deny: conditions: all: - - key: ALL - operator: AnyNotIn - value: "{{ element.securityContext.capabilities.drop[] || `[]` }}" + - key: ALL + operator: AnyNotIn + value: "{{ element.securityContext.capabilities.drop[] || `[]` }}" - name: adding-capabilities-strict match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod preconditions: all: - - key: "{{ request.operation || 'BACKGROUND' }}" - operator: NotEquals - value: DELETE + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: message: >- Any capabilities added other than NET_BIND_SERVICE are disallowed. @@ -58,8 +59,8 @@ spec: deny: conditions: all: - - key: "{{ element.securityContext.capabilities.add[] || `[]` }}" - operator: AnyNotIn - value: - - NET_BIND_SERVICE - - '' + - key: "{{ element.securityContext.capabilities.add[] || `[]` }}" + operator: AnyNotIn + value: + - NET_BIND_SERVICE + - "" diff --git a/charts/pod-security-restricted/pols/disallow-privilege-escalation.yaml b/charts/pod-security-restricted/templates/disallow-privilege-escalation.yaml similarity index 73% rename from charts/pod-security-restricted/pols/disallow-privilege-escalation.yaml rename to charts/pod-security-restricted/templates/disallow-privilege-escalation.yaml index b06d960a..d489bf6d 100644 --- a/charts/pod-security-restricted/pols/disallow-privilege-escalation.yaml +++ b/charts/pod-security-restricted/templates/disallow-privilege-escalation.yaml @@ -9,6 +9,7 @@ metadata: policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-privilege-escalation/" policies.kyverno.io/description: >- Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. @@ -19,9 +20,9 @@ spec: - name: privilege-escalation match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Privilege escalation is disallowed. The fields @@ -32,11 +33,11 @@ spec: pattern: spec: =(ephemeralContainers): - - securityContext: - allowPrivilegeEscalation: "false" + - securityContext: + allowPrivilegeEscalation: "false" =(initContainers): - - securityContext: - allowPrivilegeEscalation: "false" + - securityContext: + allowPrivilegeEscalation: "false" containers: - - securityContext: - allowPrivilegeEscalation: "false" + - securityContext: + allowPrivilegeEscalation: "false" diff --git a/charts/pod-security-restricted/pols/require-run-as-non-root-user.yaml b/charts/pod-security-restricted/templates/require-run-as-non-root-user.yaml similarity index 75% rename from charts/pod-security-restricted/pols/require-run-as-non-root-user.yaml rename to charts/pod-security-restricted/templates/require-run-as-non-root-user.yaml index 5be4515c..3150c026 100644 --- a/charts/pod-security-restricted/pols/require-run-as-non-root-user.yaml +++ b/charts/pod-security-restricted/templates/require-run-as-non-root-user.yaml @@ -9,6 +9,7 @@ metadata: policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/require-run-as-non-root-user/" policies.kyverno.io/description: >- Containers must be required to run as non-root users. This policy ensures `runAsUser` is either unset or set to a number greater than zero. @@ -19,9 +20,9 @@ spec: - name: run-as-non-root-user match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Running as root is not allowed. The fields spec.securityContext.runAsUser, @@ -33,11 +34,11 @@ spec: =(securityContext): =(runAsUser): ">0" =(ephemeralContainers): - - =(securityContext): - =(runAsUser): ">0" + - =(securityContext): + =(runAsUser): ">0" =(initContainers): - - =(securityContext): - =(runAsUser): ">0" + - =(securityContext): + =(runAsUser): ">0" containers: - - =(securityContext): - =(runAsUser): ">0" + - =(securityContext): + =(runAsUser): ">0" diff --git a/charts/pod-security-restricted/pols/require-run-as-nonroot.yaml b/charts/pod-security-restricted/templates/require-run-as-nonroot.yaml similarity index 57% rename from charts/pod-security-restricted/pols/require-run-as-nonroot.yaml rename to charts/pod-security-restricted/templates/require-run-as-nonroot.yaml index cad5c18e..e571dd5a 100644 --- a/charts/pod-security-restricted/pols/require-run-as-nonroot.yaml +++ b/charts/pod-security-restricted/templates/require-run-as-nonroot.yaml @@ -9,6 +9,7 @@ metadata: policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/require-run-as-non-root/" policies.kyverno.io/description: >- Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this @@ -20,9 +21,9 @@ spec: - name: run-as-non-root match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot @@ -30,25 +31,25 @@ spec: spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. anyPattern: - - spec: - securityContext: - runAsNonRoot: "true" - =(ephemeralContainers): - - =(securityContext): - =(runAsNonRoot): "true" - =(initContainers): - - =(securityContext): - =(runAsNonRoot): "true" - containers: - - =(securityContext): - =(runAsNonRoot): "true" - - spec: - =(ephemeralContainers): - - securityContext: - runAsNonRoot: "true" - =(initContainers): - - securityContext: - runAsNonRoot: "true" - containers: - - securityContext: + - spec: + securityContext: runAsNonRoot: "true" + =(ephemeralContainers): + - =(securityContext): + =(runAsNonRoot): "true" + =(initContainers): + - =(securityContext): + =(runAsNonRoot): "true" + containers: + - =(securityContext): + =(runAsNonRoot): "true" + - spec: + =(ephemeralContainers): + - securityContext: + runAsNonRoot: "true" + =(initContainers): + - securityContext: + runAsNonRoot: "true" + containers: + - securityContext: + runAsNonRoot: "true" diff --git a/charts/pod-security-restricted/pols/restrict-seccomp-strict.yaml b/charts/pod-security-restricted/templates/restrict-seccomp-strict.yaml similarity index 54% rename from charts/pod-security-restricted/pols/restrict-seccomp-strict.yaml rename to charts/pod-security-restricted/templates/restrict-seccomp-strict.yaml index 4c9a83d2..a833aef5 100644 --- a/charts/pod-security-restricted/pols/restrict-seccomp-strict.yaml +++ b/charts/pod-security-restricted/templates/restrict-seccomp-strict.yaml @@ -9,6 +9,7 @@ metadata: policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-seccomp-strict/" policies.kyverno.io/description: >- The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, @@ -22,9 +23,9 @@ spec: - name: check-seccomp-strict match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Use of custom Seccomp profiles is disallowed. The fields @@ -34,32 +35,32 @@ spec: spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. anyPattern: - - spec: - securityContext: - seccompProfile: - type: "RuntimeDefault | Localhost" - =(ephemeralContainers): - - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" - =(initContainers): - - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" - containers: - - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" - - spec: - =(ephemeralContainers): - - securityContext: - seccompProfile: - type: "RuntimeDefault | Localhost" - =(initContainers): - - securityContext: - seccompProfile: - type: "RuntimeDefault | Localhost" - containers: - - securityContext: + - spec: + securityContext: seccompProfile: type: "RuntimeDefault | Localhost" + =(ephemeralContainers): + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" + =(initContainers): + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" + containers: + - =(securityContext): + =(seccompProfile): + =(type): "RuntimeDefault | Localhost" + - spec: + =(ephemeralContainers): + - securityContext: + seccompProfile: + type: "RuntimeDefault | Localhost" + =(initContainers): + - securityContext: + seccompProfile: + type: "RuntimeDefault | Localhost" + containers: + - securityContext: + seccompProfile: + type: "RuntimeDefault | Localhost" diff --git a/charts/pod-security-restricted/pols/restrict-volume-types.yaml b/charts/pod-security-restricted/templates/restrict-volume-types.yaml similarity index 73% rename from charts/pod-security-restricted/pols/restrict-volume-types.yaml rename to charts/pod-security-restricted/templates/restrict-volume-types.yaml index c0bb0b7c..c42b41e2 100644 --- a/charts/pod-security-restricted/pols/restrict-volume-types.yaml +++ b/charts/pod-security-restricted/templates/restrict-volume-types.yaml @@ -10,6 +10,7 @@ metadata: policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" kyverno.io/kyverno-version: 1.6.0 + policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-volume-types/" policies.kyverno.io/description: >- In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. @@ -21,9 +22,9 @@ spec: - name: restricted-volumes match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod validate: message: >- Only the following types of volumes may be used: configMap, csi, downwardAPI, @@ -34,13 +35,13 @@ spec: - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}" operator: AnyNotIn value: - - name - - configMap - - csi - - downwardAPI - - emptyDir - - ephemeral - - persistentVolumeClaim - - projected - - secret - - '' + - name + - configMap + - csi + - downwardAPI + - emptyDir + - ephemeral + - persistentVolumeClaim + - projected + - secret + - "" diff --git a/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml b/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml deleted file mode 100644 index bb7ddefd..00000000 --- a/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-host-ports-range - annotations: - policies.kyverno.io/title: Disallow hostPorts Range (Alternate) - policies.kyverno.io/category: Pod Security Standards (Baseline) - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-ports/" - policies.kyverno.io/description: >- - Access to host ports allows potential snooping of network traffic and should not be - allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` - field is set to one in the designated list. -spec: - validationFailureAction: audit - background: true - rules: - - name: host-port-range - match: - any: - - resources: - kinds: - - Pod - validate: - message: >- - The only permitted hostPorts are in the range 5000-6000. - deny: - conditions: - all: - - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].ports[].hostPort }}" - operator: AnyNotIn - value: 5000-6000 diff --git a/pod-security/baseline/disallow-host-ports-range/kyverno-test.yaml b/pod-security/baseline/disallow-host-ports-range/kyverno-test.yaml deleted file mode 100644 index c44d66c1..00000000 --- a/pod-security/baseline/disallow-host-ports-range/kyverno-test.yaml +++ /dev/null @@ -1,312 +0,0 @@ -name: disallow-host-ports-range -policies: - - disallow-host-ports-range.yaml -resources: - - resource.yaml -results: -###### Pods - Bad - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod03 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod04 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod05 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod06 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod07 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod08 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod09 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod10 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod02 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod03 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod04 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod05 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod06 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod07 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod08 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod09 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod10 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment02 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment03 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment04 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment05 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment06 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment07 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment08 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment09 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment10 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment06 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment07 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment08 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment09 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment10 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob01 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob02 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob03 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob04 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob05 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob06 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob07 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob08 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob09 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob10 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob06 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob07 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob08 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob09 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob10 - kind: CronJob - result: pass diff --git a/pod-security/baseline/disallow-host-ports-range/resource.yaml b/pod-security/baseline/disallow-host-ports-range/resource.yaml deleted file mode 100644 index db33e349..00000000 --- a/pod-security/baseline/disallow-host-ports-range/resource.yaml +++ /dev/null @@ -1,1332 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - containers: - - name: container01 - image: dummyimagename ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web - containerPort: 4443 - hostPort: 443 - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 diff --git a/pod-security/charts/.helmignore b/pod-security/charts/.helmignore deleted file mode 100644 index bfef914f..00000000 --- a/pod-security/charts/.helmignore +++ /dev/null @@ -1,2 +0,0 @@ -ci/ -README.md.gotmpl \ No newline at end of file diff --git a/pod-security/charts/Chart.yaml b/pod-security/charts/Chart.yaml deleted file mode 100644 index d55aae9e..00000000 --- a/pod-security/charts/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v2 -name: pod-security-standard-policies -description: A Helm chart for applying Pod Security Standards as Kyverno policies -type: application -version: 0.1.4 -appVersion: v1.8.4 - -keywords: - - kyverno - - pod security - - best practices - - nirmata - - policy agent - - validating webhook - - admission controller - -home: https://nirmata.com/ - -maintainers: - - name: Nirmata - url: https://nirmata.com/ - -kubeVersion: ">=1.16.0-0" diff --git a/pod-security/charts/README.md b/pod-security/charts/README.md deleted file mode 100644 index 1a622f6e..00000000 --- a/pod-security/charts/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# pod-security-standard-policies - -A Helm chart for applying Pod Security Standards as Kyverno policies - -![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.8.4](https://img.shields.io/badge/AppVersion-v1.8.4-informational?style=flat-square) - -## About - -This chart contains Enterprise Kyverno's implementation of the Kubernetes Pod Security Standards (PSS) as documented at https://kubernetes.io/docs/concepts/security/pod-security-standards/ and are a Helm packaged version of those found at https://github.com/kyverno/policies/tree/main/pod-security. The goal of the PSS controls is to provide a good starting point for general Kubernetes cluster operational security. These controls are broken down into two categories, Baseline and Restricted. Baseline policies implement the most basic of Pod security controls while Restricted implements more strict controls. Restricted is cumulative and encompasses those listed in Baseline. - -The following policies are included in each profile. - -**Baseline** - -* disallow-capabilities -* disallow-host-namespaces -* disallow-host-path -* disallow-host-ports -* disallow-host-process -* disallow-privileged-containers -* disallow-proc-mount -* disallow-selinux -* restrict-apparmor-profiles -* restrict-seccomp -* restrict-sysctls - -**Restricted** - -* disallow-capabilities-strict -* disallow-privilege-escalation -* require-run-as-non-root-user -* require-run-as-nonroot -* restrict-seccomp-strict -* restrict-volume-types - -## Installing the Chart - -These PSS policies presently have a minimum requirement of Enterprise Kyverno 1.6.0. - -```console -## Add the Enterprise Kyverno Helm repository -$ helm repo add nirmata https://nirmata.github.io/kyverno-charts/ && helm repo update nirmata - -## Install the Pod Security Standards Helm chart -$ helm install pss-policies -n nirmata-kyverno --create-namespace nirmata/pod-security-standard-policies -``` - -## Uninstalling the Chart - -To uninstall/delete the `pss-policies` chart: - -```console -$ helm delete -n nirmata-kyverno pss-policies -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| podSecurityStandard | string | `"baseline"` | Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`). For more info https://kyverno.io/policies/pod-security. | -| podSecuritySeverity | string | `"medium"` | Pod Security Standard (`low`, `medium`, `high`). | -| podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. | -| includeOtherPolicies | list | `[]` | Additional policies to include from `other`. | -| includeRestrictedPolicies | list | `[]` | Additional policies to include from `restricted`. | -| failurePolicy | string | `"Fail"` | API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: https://kyverno.io/docs/writing-policies/policy-settings/ | -| validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. | -| validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. | -| validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. | -| policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. | -| policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. | -| autogenControllers | string | `""` | Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) For more info https://kyverno.io/docs/writing-policies/autogen/. | -| nameOverride | string | `nil` | Name override. | -| customLabels | object | `{}` | Additional labels. | -| background | bool | `true` | Policies background mode | -| kyvernoVersion | string | `"autodetect"` | Kyverno version The default of "autodetect" will try to determine the currently installed version from the deployment | - -## Requirements - -Kubernetes: `>=1.16.0-0` - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| Nirmata | | | - diff --git a/pod-security/charts/README.md.gotmpl b/pod-security/charts/README.md.gotmpl deleted file mode 100644 index 74663c24..00000000 --- a/pod-security/charts/README.md.gotmpl +++ /dev/null @@ -1,65 +0,0 @@ -{{ template "chart.header" . }} -{{ template "chart.deprecationWarning" . }} -{{ template "chart.description" . }} - -{{ template "chart.badgesSection" . }} - -## About - -This chart contains Enterprise Kyverno's implementation of the Kubernetes Pod Security Standards (PSS) as documented at https://kubernetes.io/docs/concepts/security/pod-security-standards/ and are a Helm packaged version of those found at https://github.com/kyverno/policies/tree/main/pod-security. The goal of the PSS controls is to provide a good starting point for general Kubernetes cluster operational security. These controls are broken down into two categories, Baseline and Restricted. Baseline policies implement the most basic of Pod security controls while Restricted implements more strict controls. Restricted is cumulative and encompasses those listed in Baseline. - -The following policies are included in each profile. - -**Baseline** - -* disallow-capabilities -* disallow-host-namespaces -* disallow-host-path -* disallow-host-ports -* disallow-host-process -* disallow-privileged-containers -* disallow-proc-mount -* disallow-selinux -* restrict-apparmor-profiles -* restrict-seccomp -* restrict-sysctls - -**Restricted** - -* disallow-capabilities-strict -* disallow-privilege-escalation -* require-run-as-non-root-user -* require-run-as-nonroot -* restrict-seccomp-strict -* restrict-volume-types - -## Installing the Chart - -These PSS policies presently have a minimum requirement of Enterprise Kyverno 1.6.0. - -```console -## Add the Enterprise Kyverno Helm repository -$ helm repo add nirmata https://nirmata.github.io/kyverno-charts/ && helm repo update nirmata - -## Install the Pod Security Standards Helm chart -$ helm install pss-policies -n nirmata-kyverno --create-namespace nirmata/pod-security-standard-policies -``` - -## Uninstalling the Chart - -To uninstall/delete the `pss-policies` chart: - -```console -$ helm delete -n nirmata-kyverno pss-policies -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -{{ template "chart.valuesSection" . }} - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.maintainersSection" . }} - diff --git a/pod-security/charts/ci/default-values.yaml b/pod-security/charts/ci/default-values.yaml deleted file mode 100644 index f5533b97..00000000 --- a/pod-security/charts/ci/default-values.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -## This tests the default values. diff --git a/pod-security/charts/ci/test-autogen-none-values.yaml b/pod-security/charts/ci/test-autogen-none-values.yaml deleted file mode 100644 index 53ecdb41..00000000 --- a/pod-security/charts/ci/test-autogen-none-values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -podSecurityStandard: restricted -autogenControllers: none diff --git a/pod-security/charts/ci/test-preconditions-values.yaml b/pod-security/charts/ci/test-preconditions-values.yaml deleted file mode 100644 index df4e8e9d..00000000 --- a/pod-security/charts/ci/test-preconditions-values.yaml +++ /dev/null @@ -1,19 +0,0 @@ -podSecurityStandard: restricted -includeOtherPolicies: -- require-non-root-groups -policyPreconditions: - require-run-as-non-root-user: - all: - - key: "{{ request.object.metadata.name }}" - operator: NotEquals - value: "dcgm-exporter*" - require-drop-all: - any: - - key: "{{ request.object.metadata.name }}" - operator: NotEquals - value: "dcgm-exporter*" - adding-capabilities-strict: - all: - - key: "{{ request.object.metadata.name }}" - operator: NotEquals - value: "dcgm-exporter*" diff --git a/pod-security/charts/ci/test-rule-values.yaml b/pod-security/charts/ci/test-rule-values.yaml deleted file mode 100644 index 34b26cdb..00000000 --- a/pod-security/charts/ci/test-rule-values.yaml +++ /dev/null @@ -1,25 +0,0 @@ -podSecurityStandard: restricted -includeOtherPolicies: -- require-non-root-groups -policyExclude: - disallow-host-path: - any: - - resources: - kinds: - - Pod - namespaces: - - fluent - require-non-root-groups: - any: - - resources: - kinds: - - Pod - namespaces: - - fluent - check-runasgroup: - any: - - resources: - kinds: - - Pod - namespaces: - - kube-system diff --git a/pod-security/charts/ci/test-values.yaml b/pod-security/charts/ci/test-values.yaml deleted file mode 100644 index 31a5213e..00000000 --- a/pod-security/charts/ci/test-values.yaml +++ /dev/null @@ -1,31 +0,0 @@ -podSecurityStandard: restricted -includeOtherPolicies: -- require-non-root-groups -includeRestrictedPolicies: -- require-run-as-non-root-user -validationFailureActionByPolicy: - require-non-root-groups: enforce -validationFailureActionOverrides: - all: - - action: audit - namespaces: - - ingress-nginx - disallow-host-path: - - action: audit - namespaces: - - fluent -policyExclude: - disallow-host-path: - any: - - resources: - kinds: - - Pod - namespaces: - - fluent - require-non-root-groups: - any: - - resources: - kinds: - - Pod - namespaces: - - fluent diff --git a/pod-security/charts/templates/NOTES.txt b/pod-security/charts/templates/NOTES.txt deleted file mode 100644 index 5ce8e1ed..00000000 --- a/pod-security/charts/templates/NOTES.txt +++ /dev/null @@ -1,10 +0,0 @@ -Thank you for installing {{ .Chart.Name }} {{ .Chart.Version }} 😀 - - -We have installed the "{{ .Values.podSecurityStandard }}" profile of Pod Security Standards and set them in {{ .Values.validationFailureAction }} mode. - -Manage policies and governance at scale with the Nirmata Policy Manager to get a central view of the security and compliance posture of your cluster. - -Sign up for a Free Trial today - https://www.nirmata.io/security/signup.html - -Reach out to support@nirmata.com for any assistance. diff --git a/pod-security/charts/templates/_helpers.tpl b/pod-security/charts/templates/_helpers.tpl deleted file mode 100644 index ea0991ba..00000000 --- a/pod-security/charts/templates/_helpers.tpl +++ /dev/null @@ -1,84 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* Expand the name of the chart. */}} -{{- define "pod-security-standard-policies.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* Create chart name and version as used by the chart label. */}} -{{- define "pod-security-standard-policies.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* Helm required labels */}} -{{- define "pod-security-standard-policies.labels" -}} -app.kubernetes.io/component: kyverno -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/name: {{ template "pod-security-standard-policies.name" . }} -app.kubernetes.io/part-of: {{ template "pod-security-standard-policies.name" . }} -app.kubernetes.io/version: "{{ .Chart.Version }}" -helm.sh/chart: {{ template "pod-security-standard-policies.chart" . }} -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels }} -{{- end }} -{{- end -}} - -{{/* Set if a baseline policy is managed */}} -{{- define "pod-security-standard-policies.podSecurityBaseline" -}} -{{- if or (eq .Values.podSecurityStandard "baseline") (eq .Values.podSecurityStandard "restricted") }} -{{- true }} -{{- else if and (eq .Values.podSecurityStandard "custom") (has .name .Values.podSecurityPolicies) }} -{{- true }} -{{- else -}} -{{- false }} -{{- end -}} -{{- end -}} - -{{/* Set if a restricted policy is managed */}} -{{- define "pod-security-standard-policies.podSecurityRestricted" -}} -{{- if eq .Values.podSecurityStandard "restricted" }} -{{- true }} -{{- else if and (eq .Values.podSecurityStandard "custom") (has .name .Values.podSecurityPolicies) }} -{{- true }} -{{- else if has .name .Values.includeRestrictedPolicies }} -{{- true }} -{{- else -}} -{{- false }} -{{- end -}} -{{- end -}} - -{{/* Set if a other policies are managed */}} -{{- define "pod-security-standard-policies.podSecurityOther" -}} -{{- if has .name .Values.includeOtherPolicies }} -{{- true }} -{{- else -}} -{{- false }} -{{- end -}} -{{- end -}} - -{{/* Get deployed Kyverno version from Kubernetes */}} -{{- define "pod-security-standard-policies.kyvernoVersion" -}} -{{- $version := "" -}} -{{- if eq .Values.kyvernoVersion "autodetect" }} -{{- with (lookup "apps/v1" "Deployment" .Release.Namespace "kyverno") -}} - {{- with (first .spec.template.spec.containers) -}} - {{- $imageTag := (last (splitList ":" .image)) -}} - {{- $version = trimPrefix "v" $imageTag -}} - {{- end -}} -{{- end -}} -{{ $version }} -{{- else -}} -{{ .Values.kyvernoVersion }} -{{- end -}} -{{- end -}} - -{{/* Fail if deployed Kyverno does not match */}} -{{- define "pod-security-standard-policies.supportedKyvernoCheck" -}} -{{- $supportedKyverno := index . "ver" -}} -{{- $top := index . "top" }} -{{- if (include "pod-security-standard-policies.kyvernoVersion" $top) -}} - {{- if not ( semverCompare $supportedKyverno (include "pod-security-standard-policies.kyvernoVersion" $top) ) -}} - {{- fail (printf "Kyverno version is too low, expected %s" $supportedKyverno) -}} - {{- end -}} -{{- end -}} -{{- end -}} diff --git a/pod-security/charts/templates/baseline/disallow-capabilities.yaml b/pod-security/charts/templates/baseline/disallow-capabilities.yaml deleted file mode 100644 index 304639b0..00000000 --- a/pod-security/charts/templates/baseline/disallow-capabilities.yaml +++ /dev/null @@ -1,74 +0,0 @@ -{{- $name := "disallow-capabilities" }} -{{- if eq (include "pod-security-standard-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -{{- include "pod-security-standard-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Disallow Capabilities - policies.nirmata.com/category: Pod Security Standards (Baseline) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity }} - {{- end }} - kyverno.io/kyverno-version: 1.6.0 - policies.nirmata.com/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/subject: Pod - policies.nirmata.com/description: >- - Adding capabilities beyond those listed in the policy must be disallowed. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: adding-capabilities - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, - FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) - are disallowed. - deny: - conditions: - all: - - key: "{{`{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}`}}" - operator: AnyNotIn - value: - - AUDIT_WRITE - - CHOWN - - DAC_OVERRIDE - - FOWNER - - FSETID - - KILL - - MKNOD - - NET_BIND_SERVICE - - SETFCAP - - SETGID - - SETPCAP - - SETUID - - SYS_CHROOT -{{- end }} diff --git a/pod-security/charts/templates/baseline/disallow-host-namespaces.yaml b/pod-security/charts/templates/baseline/disallow-host-namespaces.yaml deleted file mode 100644 index 37a115b0..00000000 --- a/pod-security/charts/templates/baseline/disallow-host-namespaces.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- $name := "disallow-host-namespaces" }} -{{- if eq (include "pod-security-standard-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Disallow Host Namespaces - policies.nirmata.com/category: Pod Security Standards (Baseline) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity }} - {{- end }} - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/subject: Pod - policies.nirmata.com/description: >- - Host namespaces (Process ID namespace, Inter-Process Communication namespace, and - network namespace) allow access to shared information and can be used to elevate - privileges. Pods should not be allowed access to host namespaces. This policy ensures - fields which make use of these host namespaces are unset or set to `false`. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: host-namespaces - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Sharing the host namespaces is disallowed. The fields spec.hostNetwork, - spec.hostIPC, and spec.hostPID must be unset or set to `false`. - pattern: - spec: - =(hostPID): "false" - =(hostIPC): "false" - =(hostNetwork): "false" -{{- end }} diff --git a/pod-security/charts/templates/baseline/disallow-host-path.yaml b/pod-security/charts/templates/baseline/disallow-host-path.yaml deleted file mode 100644 index 45859ae3..00000000 --- a/pod-security/charts/templates/baseline/disallow-host-path.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- $name := "disallow-host-path" }} -{{- if eq (include "pod-security-standard-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Disallow hostPath - policies.nirmata.com/category: Pod Security Standards (Baseline) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity }} - {{- end }} - policies.nirmata.com/subject: Pod,Volume - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - HostPath volumes let Pods use host directories and volumes in containers. - Using host resources can be used to access shared data or escalate privileges - and should not be allowed. This policy ensures no hostPath volumes are in use. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: host-path - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. - pattern: - spec: - =(volumes): - - X(hostPath): "null" -{{- end }} diff --git a/pod-security/charts/templates/baseline/disallow-host-ports.yaml b/pod-security/charts/templates/baseline/disallow-host-ports.yaml deleted file mode 100644 index 3ed3786b..00000000 --- a/pod-security/charts/templates/baseline/disallow-host-ports.yaml +++ /dev/null @@ -1,66 +0,0 @@ -{{- $name := "disallow-host-ports" }} -{{- if eq (include "pod-security-standard-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Disallow hostPorts - policies.nirmata.com/category: Pod Security Standards (Baseline) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity }} - {{- end }} - policies.nirmata.com/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - Access to host ports allows potential snooping of network traffic and should not be - allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` - field is unset or set to `0`. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: host-ports-none - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort - , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort - must either be unset or set to `0`. - pattern: - spec: - =(ephemeralContainers): - - =(ports): - - =(hostPort): 0 - =(initContainers): - - =(ports): - - =(hostPort): 0 - containers: - - =(ports): - - =(hostPort): 0 -{{- end }} diff --git a/pod-security/charts/templates/baseline/disallow-host-process.yaml b/pod-security/charts/templates/baseline/disallow-host-process.yaml deleted file mode 100644 index 2c06b78a..00000000 --- a/pod-security/charts/templates/baseline/disallow-host-process.yaml +++ /dev/null @@ -1,71 +0,0 @@ -{{- $name := "disallow-host-process" }} -{{- if eq (include "pod-security-standard-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Disallow hostProcess - policies.nirmata.com/category: Pod Security Standards (Baseline) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity }} - {{- end }} - policies.nirmata.com/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - Windows pods offer the ability to run HostProcess containers which enables privileged - access to the Windows node. Privileged access to the host is disallowed in the baseline - policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures - the `hostProcess` field, if present, is set to `false`. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: host-process-containers - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess, - spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess, - and spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined - or set to `false`. - pattern: - spec: - =(ephemeralContainers): - - =(securityContext): - =(windowsOptions): - =(hostProcess): "false" - =(initContainers): - - =(securityContext): - =(windowsOptions): - =(hostProcess): "false" - containers: - - =(securityContext): - =(windowsOptions): - =(hostProcess): "false" -{{- end }} diff --git a/pod-security/charts/templates/baseline/disallow-privileged-containers.yaml b/pod-security/charts/templates/baseline/disallow-privileged-containers.yaml deleted file mode 100644 index 4cc7af14..00000000 --- a/pod-security/charts/templates/baseline/disallow-privileged-containers.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{- $name := "disallow-privileged-containers" }} -{{- if eq (include "pod-security-standard-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Disallow Privileged Containers - policies.nirmata.com/category: Pod Security Standards (Baseline) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity }} - {{- end }} - policies.nirmata.com/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - Privileged mode disables most security mechanisms and must not be allowed. This policy - ensures Pods do not call for privileged mode. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: privileged-containers - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged - and spec.initContainers[*].securityContext.privileged must be unset or set to `false`. - pattern: - spec: - =(ephemeralContainers): - - =(securityContext): - =(privileged): "false" - =(initContainers): - - =(securityContext): - =(privileged): "false" - containers: - - =(securityContext): - =(privileged): "false" -{{- end }} diff --git a/pod-security/charts/templates/baseline/disallow-proc-mount.yaml b/pod-security/charts/templates/baseline/disallow-proc-mount.yaml deleted file mode 100644 index 6a559552..00000000 --- a/pod-security/charts/templates/baseline/disallow-proc-mount.yaml +++ /dev/null @@ -1,68 +0,0 @@ -{{- $name := "disallow-proc-mount" }} -{{- if eq (include "pod-security-standard-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Disallow procMount - policies.nirmata.com/category: Pod Security Standards (Baseline) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity }} - {{- end }} - policies.nirmata.com/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - The default /proc masks are set up to reduce attack surface and should be required. This policy - ensures nothing but the default procMount can be specified. Note that in order for users - to deviate from the `Default` procMount requires setting a feature gate at the API - server. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: check-proc-mount - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Changing the proc mount from the default is not allowed. The fields - spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount, - and spec.ephemeralContainers[*].securityContext.procMount must be unset or - set to `Default`. - pattern: - spec: - =(ephemeralContainers): - - =(securityContext): - =(procMount): "Default" - =(initContainers): - - =(securityContext): - =(procMount): "Default" - containers: - - =(securityContext): - =(procMount): "Default" -{{- end }} diff --git a/pod-security/charts/templates/baseline/disallow-selinux.yaml b/pod-security/charts/templates/baseline/disallow-selinux.yaml deleted file mode 100644 index b59937eb..00000000 --- a/pod-security/charts/templates/baseline/disallow-selinux.yaml +++ /dev/null @@ -1,115 +0,0 @@ -{{- $name := "disallow-selinux" }} -{{- if eq (include "pod-security-standard-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Disallow SELinux - policies.nirmata.com/category: Pod Security Standards (Baseline) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity }} - {{- end }} - policies.nirmata.com/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - SELinux options can be used to escalate privileges and should not be allowed. This policy - ensures that the `seLinuxOptions` field is undefined. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: selinux-type - match: - any: - - resources: - kinds: - - Pod - {{- with merge (index .Values "policyExclude" "selinux-type") (index .Values "policyExclude" $name) }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with merge (index .Values "policyPreconditions" "selinux-type") (index .Values "policyPreconditions" $name) }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Setting the SELinux type is restricted. The fields - spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type, - , spec.initContainers[*].securityContext.seLinuxOptions, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.type - must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). - pattern: - spec: - =(securityContext): - =(seLinuxOptions): - =(type): "container_t | container_init_t | container_kvm_t" - =(ephemeralContainers): - - =(securityContext): - =(seLinuxOptions): - =(type): "container_t | container_init_t | container_kvm_t" - =(initContainers): - - =(securityContext): - =(seLinuxOptions): - =(type): "container_t | container_init_t | container_kvm_t" - containers: - - =(securityContext): - =(seLinuxOptions): - =(type): "container_t | container_init_t | container_kvm_t" - - name: selinux-user-role - match: - any: - - resources: - kinds: - - Pod - {{- with merge (index .Values "policyExclude" "selinux-user-role") (index .Values "policyExclude" $name) }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with merge (index .Values "policyPreconditions" "selinux-user-role") (index .Values "policyPreconditions" $name) }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Setting the SELinux user or role is forbidden. The fields - spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role, - spec.containers[*].securityContext.seLinuxOptions.user, spec.containers[*].securityContext.seLinuxOptions.role, - spec.initContainers[*].securityContext.seLinuxOptions.user, spec.initContainers[*].securityContext.seLinuxOptions.role, - spec.ephemeralContainers[*].securityContext.seLinuxOptions.user, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role - must be unset. - pattern: - spec: - =(securityContext): - =(seLinuxOptions): - X(user): "null" - X(role): "null" - =(ephemeralContainers): - - =(securityContext): - =(seLinuxOptions): - X(user): "null" - X(role): "null" - =(initContainers): - - =(securityContext): - =(seLinuxOptions): - X(user): "null" - X(role): "null" - containers: - - =(securityContext): - =(seLinuxOptions): - X(user): "null" - X(role): "null" -{{- end }} diff --git a/pod-security/charts/templates/baseline/restrict-apparmor-profiles.yaml b/pod-security/charts/templates/baseline/restrict-apparmor-profiles.yaml deleted file mode 100644 index db55b89f..00000000 --- a/pod-security/charts/templates/baseline/restrict-apparmor-profiles.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- $name := "restrict-apparmor-profiles" }} -{{- if eq (include "pod-security-standard-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Restrict AppArmor - policies.nirmata.com/category: Pod Security Standards (Baseline) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity }} - {{- end }} - policies.nirmata.com/subject: Pod, Annotation - policies.nirmata.com/minversion: 1.3.0 - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - On supported hosts, the 'runtime/default' AppArmor profile is applied by default. - The default policy should prevent overriding or disabling the policy, or restrict - overrides to an allowed set of profiles. This policy ensures Pods do not - specify any other AppArmor profiles than `runtime/default` or `localhost/*`. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: app-armor - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Specifying other AppArmor profiles is disallowed. The annotation - `container.apparmor.security.beta.kubernetes.io` if defined - must not be set to anything other than `runtime/default` or `localhost/*`. - pattern: - =(metadata): - =(annotations): - =(container.apparmor.security.beta.kubernetes.io/*): "runtime/default | localhost/*" -{{- end }} diff --git a/pod-security/charts/templates/baseline/restrict-seccomp.yaml b/pod-security/charts/templates/baseline/restrict-seccomp.yaml deleted file mode 100644 index a4a0e810..00000000 --- a/pod-security/charts/templates/baseline/restrict-seccomp.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- $name := "restrict-seccomp" }} -{{- if eq (include "pod-security-standard-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Restrict Seccomp - policies.nirmata.com/category: Pod Security Standards (Baseline) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity }} - {{- end }} - policies.nirmata.com/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - The seccomp profile must not be explicitly set to Unconfined. This policy, - requiring Kubernetes v1.19 or later, ensures that seccomp is unset or - set to `RuntimeDefault` or `Localhost`. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - background: {{ .Values.background }} - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: check-seccomp - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Use of custom Seccomp profiles is disallowed. The fields - spec.securityContext.seccompProfile.type, - spec.containers[*].securityContext.seccompProfile.type, - spec.initContainers[*].securityContext.seccompProfile.type, and - spec.ephemeralContainers[*].securityContext.seccompProfile.type - must be unset or set to `RuntimeDefault` or `Localhost`. - pattern: - spec: - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" - =(ephemeralContainers): - - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" - =(initContainers): - - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" - containers: - - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" -{{- end }} diff --git a/pod-security/charts/templates/baseline/restrict-sysctls.yaml b/pod-security/charts/templates/baseline/restrict-sysctls.yaml deleted file mode 100644 index 4a01f843..00000000 --- a/pod-security/charts/templates/baseline/restrict-sysctls.yaml +++ /dev/null @@ -1,65 +0,0 @@ -{{- $name := "restrict-sysctls" }} -{{- if eq (include "pod-security-standard-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Restrict sysctls - policies.nirmata.com/category: Pod Security Standards (Baseline) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity }} - {{- end }} - policies.nirmata.com/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - Sysctls can disable security mechanisms or affect all containers on a - host, and should be disallowed except for an allowed "safe" subset. A - sysctl is considered safe if it is namespaced in the container or the - Pod, and it is isolated from other Pods or processes on the same Node. - This policy ensures that only those "safe" subsets can be specified in - a Pod. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: check-sysctls - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Setting additional sysctls above the allowed type is disallowed. - The field spec.securityContext.sysctls must be unset or not use any other names - than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range, - net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and - net.ipv4.ping_group_range. - pattern: - spec: - =(securityContext): - =(sysctls): - - =(name): "kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.ip_unprivileged_port_start | net.ipv4.tcp_syncookies | net.ipv4.ping_group_range" -{{- end }} diff --git a/pod-security/charts/templates/other/require-non-root-groups.yaml b/pod-security/charts/templates/other/require-non-root-groups.yaml deleted file mode 100644 index d2d5f0ba..00000000 --- a/pod-security/charts/templates/other/require-non-root-groups.yaml +++ /dev/null @@ -1,122 +0,0 @@ -{{- $name := "require-non-root-groups" }} -{{- if eq (include "pod-security-standard-policies.podSecurityOther" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/category: Sample - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.nirmata.com/minversion: 1.3.6 - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/subject: Pod - policies.nirmata.com/description: >- - Containers should be forbidden from running with a root primary or supplementary GID. - This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number - greater than zero (i.e., non root). A known issue prevents a policy such as this - using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: check-runasgroup - match: - any: - - resources: - kinds: - - Pod - {{- with merge (index .Values "policyExclude" "check-runasgroup") (index .Values "policyExclude" $name) }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with merge (index .Values "policyPreconditions" "check-runasgroup") (index .Values "policyPreconditions" $name) }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Running with root group IDs is disallowed. The fields - spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, - spec.initContainers[*].securityContext.runAsGroup, and - spec.ephemeralContainers[*].securityContext.runAsGroup must be - set to a value greater than zero. - anyPattern: - - spec: - securityContext: - runAsGroup: ">0" - =(ephemeralContainers): - - =(securityContext): - =(runAsGroup): ">0" - =(initContainers): - - =(securityContext): - =(runAsGroup): ">0" - containers: - - =(securityContext): - =(runAsGroup): ">0" - - spec: - =(ephemeralContainers): - - securityContext: - runAsGroup: ">0" - =(initContainers): - - securityContext: - runAsGroup: ">0" - containers: - - securityContext: - runAsGroup: ">0" - - name: check-supplementalgroups - match: - any: - - resources: - kinds: - - Pod - {{- with merge (index .Values "policyExclude" "check-supplementalgroups") (index .Values "policyExclude" $name) }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with merge (index .Values "policyPreconditions" "check-supplementalgroups") (index .Values "policyPreconditions" $name) }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Containers cannot run with a root primary or supplementary GID. The field - spec.securityContext.supplementalGroups must be unset or - set to a value greater than zero. - pattern: - spec: - =(securityContext): - =(supplementalGroups): ">0" - - name: check-fsgroup - match: - any: - - resources: - kinds: - - Pod - {{- with merge (index .Values "policyExclude" "check-fsgroup") (index .Values "policyExclude" $name) }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Containers cannot run with a root primary or supplementary GID. The field - spec.securityContext.fsGroup must be unset or set to a value greater than zero. - pattern: - spec: - =(securityContext): - =(fsGroup): ">0" -{{- end }} diff --git a/pod-security/charts/templates/restricted/disallow-capabilities-strict.yaml b/pod-security/charts/templates/restricted/disallow-capabilities-strict.yaml deleted file mode 100644 index aa2f03fd..00000000 --- a/pod-security/charts/templates/restricted/disallow-capabilities-strict.yaml +++ /dev/null @@ -1,123 +0,0 @@ -{{- $name := "disallow-capabilities-strict" }} -{{- if eq (include "pod-security-standard-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} -{{- include "pod-security-standard-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Disallow Capabilities (Strict) - policies.nirmata.com/category: Pod Security Standards (Restricted) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.nirmata.com/minversion: 1.6.0 - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/subject: Pod - policies.nirmata.com/description: >- - Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, - all containers must explicitly drop `ALL` capabilities. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: require-drop-all - match: - any: - - resources: - kinds: - - Pod - {{- with merge (index .Values "policyExclude" "require-drop-all") (index .Values "policyExclude" $name) }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- $preconditions1 := merge (index .Values "policyPreconditions" "require-drop-all") (index .Values "policyPreconditions" $name) }} - {{- if $preconditions1 }} - {{- with $preconditions1 }} - preconditions: - {{- if .all }} - all: - - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}" - operator: NotEquals - value: DELETE - {{- toYaml .all | nindent 8 }} - {{- else }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - {{- else }} - preconditions: - all: - - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}" - operator: NotEquals - value: DELETE - {{- end }} - validate: - message: >- - Containers must drop `ALL` capabilities. - foreach: - - list: request.object.spec.[ephemeralContainers, initContainers, containers][] - deny: - conditions: - all: - - key: ALL - operator: AnyNotIn - value: "{{`{{`}} element.securityContext.capabilities.drop[].to_upper(@) || `[]` {{`}}`}}" - - name: adding-capabilities-strict - match: - any: - - resources: - kinds: - - Pod - {{- with merge (index .Values "policyExclude" "adding-capabilities-strict") (index .Values "policyExclude" $name) }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- $preconditions2 := merge (index .Values "policyPreconditions" "adding-capabilities-strict") (index .Values "policyPreconditions" $name) }} - {{- if $preconditions2 }} - {{- with $preconditions2 }} - preconditions: - {{- if .all }} - all: - - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}" - operator: NotEquals - value: DELETE - {{- toYaml .all | nindent 8 }} - {{- else }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - {{- else }} - preconditions: - all: - - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}" - operator: NotEquals - value: DELETE - {{- end }} - validate: - message: >- - Any capabilities added other than NET_BIND_SERVICE are disallowed. - foreach: - - list: request.object.spec.[ephemeralContainers, initContainers, containers][] - deny: - conditions: - all: - - key: "{{`{{`}} element.securityContext.capabilities.add[].to_upper(@) || `[]` {{`}}`}}" - operator: AnyNotIn - value: - - NET_BIND_SERVICE - - '' -{{- end }} diff --git a/pod-security/charts/templates/restricted/disallow-privilege-escalation.yaml b/pod-security/charts/templates/restricted/disallow-privilege-escalation.yaml deleted file mode 100644 index 0bf309f3..00000000 --- a/pod-security/charts/templates/restricted/disallow-privilege-escalation.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{- $name := "disallow-privilege-escalation" }} -{{- if eq (include "pod-security-standard-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Disallow Privilege Escalation - policies.nirmata.com/category: Pod Security Standards (Restricted) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.nirmata.com/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. - This policy ensures the `allowPrivilegeEscalation` field is set to `false`. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: privilege-escalation - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Privilege escalation is disallowed. The fields - spec.containers[*].securityContext.allowPrivilegeEscalation, - spec.initContainers[*].securityContext.allowPrivilegeEscalation, - and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation - must be set to `false`. - pattern: - spec: - =(ephemeralContainers): - - securityContext: - allowPrivilegeEscalation: "false" - =(initContainers): - - securityContext: - allowPrivilegeEscalation: "false" - containers: - - securityContext: - allowPrivilegeEscalation: "false" -{{- end }} diff --git a/pod-security/charts/templates/restricted/require-run-as-non-root-user.yaml b/pod-security/charts/templates/restricted/require-run-as-non-root-user.yaml deleted file mode 100644 index fb413dd3..00000000 --- a/pod-security/charts/templates/restricted/require-run-as-non-root-user.yaml +++ /dev/null @@ -1,68 +0,0 @@ -{{- $name := "require-run-as-non-root-user" }} -{{- if eq (include "pod-security-standard-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Require Run As Non-Root User - policies.nirmata.com/category: Pod Security Standards (Restricted) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.nirmata.com/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - Containers must be required to run as non-root users. This policy ensures - `runAsUser` is either unset or set to a number greater than zero. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: run-as-non-root-user - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Running as root is not allowed. The fields spec.securityContext.runAsUser, - spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, - and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or - set to a number greater than zero. - pattern: - spec: - =(securityContext): - =(runAsUser): ">0" - =(ephemeralContainers): - - =(securityContext): - =(runAsUser): ">0" - =(initContainers): - - =(securityContext): - =(runAsUser): ">0" - containers: - - =(securityContext): - =(runAsUser): ">0" -{{- end }} diff --git a/pod-security/charts/templates/restricted/require-run-as-nonroot.yaml b/pod-security/charts/templates/restricted/require-run-as-nonroot.yaml deleted file mode 100644 index 9c53c871..00000000 --- a/pod-security/charts/templates/restricted/require-run-as-nonroot.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{- $name := "require-run-as-nonroot" }} -{{- if eq (include "pod-security-standard-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Require runAsNonRoot - policies.nirmata.com/category: Pod Security Standards (Restricted) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.nirmata.com/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - Containers must be required to run as non-root users. This policy ensures - `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this - using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: run-as-non-root - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot - must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, - spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot - must be set to `true`. - anyPattern: - - spec: - securityContext: - runAsNonRoot: true - =(ephemeralContainers): - - =(securityContext): - =(runAsNonRoot): true - =(initContainers): - - =(securityContext): - =(runAsNonRoot): true - containers: - - =(securityContext): - =(runAsNonRoot): true - - spec: - =(ephemeralContainers): - - securityContext: - runAsNonRoot: true - =(initContainers): - - securityContext: - runAsNonRoot: true - containers: - - securityContext: - runAsNonRoot: true -{{- end }} diff --git a/pod-security/charts/templates/restricted/restrict-seccomp-strict.yaml b/pod-security/charts/templates/restricted/restrict-seccomp-strict.yaml deleted file mode 100644 index 4d943ea2..00000000 --- a/pod-security/charts/templates/restricted/restrict-seccomp-strict.yaml +++ /dev/null @@ -1,90 +0,0 @@ -{{- $name := "restrict-seccomp-strict" }} -{{- if eq (include "pod-security-standard-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Restrict Seccomp (Strict) - policies.nirmata.com/category: Pod Security Standards (Restricted) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.nirmata.com/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.com/description: >- - The seccomp profile in the Restricted group must not be explicitly set to Unconfined - but additionally must also not allow an unset value. This policy, - requiring Kubernetes v1.19 or later, ensures that seccomp is - set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this - using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: check-seccomp-strict - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Use of custom Seccomp profiles is disallowed. The fields - spec.securityContext.seccompProfile.type, - spec.containers[*].securityContext.seccompProfile.type, - spec.initContainers[*].securityContext.seccompProfile.type, and - spec.ephemeralContainers[*].securityContext.seccompProfile.type - must be set to `RuntimeDefault` or `Localhost`. - anyPattern: - - spec: - securityContext: - seccompProfile: - type: "RuntimeDefault | Localhost" - =(ephemeralContainers): - - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" - =(initContainers): - - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" - containers: - - =(securityContext): - =(seccompProfile): - =(type): "RuntimeDefault | Localhost" - - spec: - =(ephemeralContainers): - - securityContext: - seccompProfile: - type: "RuntimeDefault | Localhost" - =(initContainers): - - securityContext: - seccompProfile: - type: "RuntimeDefault | Localhost" - containers: - - securityContext: - seccompProfile: - type: "RuntimeDefault | Localhost" -{{- end }} diff --git a/pod-security/charts/templates/restricted/restrict-volume-types.yaml b/pod-security/charts/templates/restricted/restrict-volume-types.yaml deleted file mode 100644 index 211c550f..00000000 --- a/pod-security/charts/templates/restricted/restrict-volume-types.yaml +++ /dev/null @@ -1,72 +0,0 @@ -{{- $name := "restrict-volume-types" }} -{{- if eq (include "pod-security-standard-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }} -{{- include "pod-security-standard-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: {{ $name }} - annotations: - {{- with .Values.autogenControllers }} - pod-policies.nirmata.com/autogen-controllers: {{ . }} - {{- end }} - policies.nirmata.com/title: Restrict Volume Types - policies.nirmata.com/category: Pod Security Standards (Restricted) - {{- if .Values.podSecuritySeverity }} - policies.nirmata.com/severity: {{ .Values.podSecuritySeverity | quote }} - {{- end }} - policies.nirmata.com/subject: Pod,Volume - policies.nirmata.com/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - kyverno.io/kyverno-version: 1.6.0 - policies.nirmata.com/description: >- - In addition to restricting HostPath volumes, the restricted pod security profile - limits usage of non-core volume types to those defined through PersistentVolumes. - This policy blocks any other type of volume other than those in the allow list. - labels: {{ include "pod-security-standard-policies.labels" . | nindent 4 }} -spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} - background: {{ .Values.background }} - failurePolicy: {{ .Values.failurePolicy }} - rules: - - name: restricted-volumes - match: - any: - - resources: - kinds: - - Pod - {{- with index .Values "policyExclude" $name }} - exclude: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "policyPreconditions" $name }} - preconditions: - {{- toYaml . | nindent 8 }} - {{- end }} - validate: - message: >- - Only the following types of volumes may be used: configMap, csi, downwardAPI, - emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. - deny: - conditions: - all: - - key: "{{`{{ request.object.spec.volumes[].keys(@)[] || '' }}`}}" - operator: AnyNotIn - value: - - name - - configMap - - csi - - downwardAPI - - emptyDir - - ephemeral - - persistentVolumeClaim - - projected - - secret - - '' -{{- end }} diff --git a/pod-security/charts/values.yaml b/pod-security/charts/values.yaml deleted file mode 100644 index 4fe5dc7f..00000000 --- a/pod-security/charts/values.yaml +++ /dev/null @@ -1,102 +0,0 @@ -# -- Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`). -# For more info https://kyverno.io/policies/pod-security. -podSecurityStandard: baseline - -# -- Pod Security Standard (`low`, `medium`, `high`). -podSecuritySeverity: medium - -# -- Policies to include when `podSecurityStandard` is `custom`. -podSecurityPolicies: [] - -# -- Additional policies to include from `other`. -includeOtherPolicies: [] -# - require-non-root-groups - -# -- Additional policies to include from `restricted`. -includeRestrictedPolicies: [] -# - require-run-as-non-root-user - -# -- API server behavior if the webhook fails to respond ('Ignore', 'Fail') -# For more info: https://kyverno.io/docs/writing-policies/policy-settings/ -failurePolicy: Fail - -# -- Validation failure action (`audit`, `enforce`). -# For more info https://kyverno.io/docs/writing-policies/validate. -validationFailureAction: audit - -# -- Define validationFailureActionByPolicy for specific policies. -# Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. -validationFailureActionByPolicy: {} -# disallow-capabilities-strict: enforce -# disallow-host-path: enforce -# disallow-host-ports: enforce - -# -- Define validationFailureActionOverrides for specific policies. -# The overrides for `all` will apply to all policies. -validationFailureActionOverrides: - all: [] - # all: - # - action: audit - # namespaces: - # - ingress-nginx - # disallow-host-path: - # - action: audit - # namespaces: - # - fluent - -# -- Exclude resources from individual policies. -# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. -policyExclude: {} - # # Exclude resources from individual policies - # disallow-host-path: - # any: - # - resources: - # kinds: - # - Pod - # namespaces: - # - fluent - # # Policies with multiple rules can have individual rules excluded - # adding-capabilities-strict: - # any: - # - resources: - # kinds: - # - Pod - # namespaces: - # - kube-system -# -- Add preconditions to individual policies. -# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. -policyPreconditions: {} - # # Exclude resources from individual policies - # require-run-as-non-root-user: - # all: - # - key: "{{ request.object.metadata.name }}" - # operator: NotEquals - # value: "dcgm-exporter*" - # # Policies with multiple rules can have individual rules excluded - # require-drop-all: - # any: - # - key: "{{ request.object.metadata.name }}" - # operator: NotEquals - # value: "dcgm-exporter*" - # adding-capabilities-strict: - # all: - # - key: "{{ request.object.metadata.name }}" - # operator: NotEquals - # value: "dcgm-exporter*" - -# -- Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) -# For more info https://kyverno.io/docs/writing-policies/autogen/. -autogenControllers: "" - -# -- Name override. -nameOverride: - -# -- Additional labels. -customLabels: {} - -# -- Policies background mode -background: true - -# -- Kyverno version -# The default of "autodetect" will try to determine the currently installed version from the deployment -kyvernoVersion: autodetect