diff --git a/best-practices/require_drop_all/require_drop_all.yaml b/best-practices/require_drop_all/require_drop_all.yaml index be903d65..35d55177 100644 --- a/best-practices/require_drop_all/require_drop_all.yaml +++ b/best-practices/require_drop_all/require_drop_all.yaml @@ -14,7 +14,7 @@ metadata: capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify the `drop: ["ALL"]` ability. Note that this policy also illustrates how to cover drop entries in any - case although this may not strictly conform to the Pod Security Standards. + case although this may not strictly conform to the Pod Security Standards. spec: validationFailureAction: Audit background: true @@ -25,12 +25,14 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: message: >- - Containers must drop `ALL` capabilities. + Containers must drop `ALL` capabilities. foreach: - list: request.object.spec.[ephemeralContainers, initContainers, containers][] deny: diff --git a/charts/best-practices-k8s/Chart.yaml b/charts/best-practices-k8s/Chart.yaml index 3c143142..40649efc 100644 --- a/charts/best-practices-k8s/Chart.yaml +++ b/charts/best-practices-k8s/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubernetes-best-practice-policies description: Kubernetes Best Practice policy set type: application -version: 0.3.0-rc1 +version: 0.3.1 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/best-practices-k8s/pols/require_drop_all.yaml b/charts/best-practices-k8s/pols/require_drop_all.yaml index be903d65..35d55177 100644 --- a/charts/best-practices-k8s/pols/require_drop_all.yaml +++ b/charts/best-practices-k8s/pols/require_drop_all.yaml @@ -14,7 +14,7 @@ metadata: capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify the `drop: ["ALL"]` ability. Note that this policy also illustrates how to cover drop entries in any - case although this may not strictly conform to the Pod Security Standards. + case although this may not strictly conform to the Pod Security Standards. spec: validationFailureAction: Audit background: true @@ -25,12 +25,14 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: message: >- - Containers must drop `ALL` capabilities. + Containers must drop `ALL` capabilities. foreach: - list: request.object.spec.[ephemeralContainers, initContainers, containers][] deny: diff --git a/charts/pod-security-restricted/Chart.yaml b/charts/pod-security-restricted/Chart.yaml index 85288070..ffdcc17d 100644 --- a/charts/pod-security-restricted/Chart.yaml +++ b/charts/pod-security-restricted/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: pss-restricted-policies description: Pod Security Standards (restricted) policy set type: application -version: 0.4.1 +version: 0.4.2 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/pod-security-restricted/pols/restrict-volume-types.yaml b/charts/pod-security-restricted/pols/restrict-volume-types.yaml index ebaaf231..a888e806 100644 --- a/charts/pod-security-restricted/pols/restrict-volume-types.yaml +++ b/charts/pod-security-restricted/pols/restrict-volume-types.yaml @@ -10,11 +10,10 @@ metadata: policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" kyverno.io/kyverno-version: 1.10.0 - policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/restricted/baseline/restrict-volume-types/" policies.kyverno.io/description: >- In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. - This policy blocks any other type of volume other than those in the allow list. + This policy blocks any other type of volume other than those in the allow list. spec: validationFailureAction: Audit background: true @@ -22,25 +21,31 @@ spec: - name: restricted-volumes match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: message: >- - Using volume types beyond those listed in the policy rule is disallowed. + Only the following types of volumes may be used: configMap, csi, downwardAPI, + emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. deny: conditions: all: - - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}" - operator: AnyNotIn - value: - - name - - configMap - - csi - - downwardAPI - - emptyDir - - ephemeral - - persistentVolumeClaim - - projected - - secret - - "" + - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}" + operator: AnyNotIn + value: + - name + - configMap + - csi + - downwardAPI + - emptyDir + - ephemeral + - persistentVolumeClaim + - projected + - secret + - '' diff --git a/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml index 01c7b29e..8b0f7afd 100644 --- a/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml +++ b/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -9,12 +9,11 @@ metadata: policies.kyverno.io/subject: Pod,Volume policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" - policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/restricted/restrict-volume-types/" + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/description: >- In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. - This policy blocks any other type of volume other than those in the allow list - (configMap, csi, downwardAPI, emptyDir, ephemeral, persistentVolumeClaim, projected, and secret). + This policy blocks any other type of volume other than those in the allow list. spec: validationFailureAction: Audit background: true @@ -22,25 +21,31 @@ spec: - name: restricted-volumes match: any: - - resources: - kinds: - - Pod + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: message: >- - Using volume types beyond those listed in the policy rule is disallowed. + Only the following types of volumes may be used: configMap, csi, downwardAPI, + emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. deny: conditions: all: - - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}" - operator: AnyNotIn - value: - - name - - configMap - - csi - - downwardAPI - - emptyDir - - ephemeral - - persistentVolumeClaim - - projected - - secret - - "" + - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}" + operator: AnyNotIn + value: + - name + - configMap + - csi + - downwardAPI + - emptyDir + - ephemeral + - persistentVolumeClaim + - projected + - secret + - '' \ No newline at end of file