Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updated policies in alignment with oss #179

Merged
merged 5 commits into from
Jan 3, 2025
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions charts/best-practices-k8s/pols/require_drop_all.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,15 @@ metadata:
policies.kyverno.io/category: Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kyverno-version: 1.10.0
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Capabilities permit privileged actions without giving full root access. All
capabilities should be dropped from a Pod, with only those required added back.
This policy ensures that all containers explicitly specify the `drop: ["ALL"]`
ability. Note that this policy also illustrates how to cover drop entries in any
case although this may not strictly conform to the Pod Security Standards.
case although this may not strictly conform to the Pod Security Standards.
spec:
validationFailureAction: Audit
validationFailureAction: audit
background: true
rules:
- name: require-drop-all
Expand All @@ -25,12 +24,14 @@ spec:
- resources:
kinds:
- Pod
operations:
- CREATE
- UPDATE
preconditions:
all:
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
validate:
message: >-
Containers must drop `ALL` capabilities.
Containers must drop `ALL` capabilities.
foreach:
- list: request.object.spec.[ephemeralContainers, initContainers, containers][]
deny:
Expand Down
47 changes: 26 additions & 21 deletions charts/pod-security-restricted/pols/restrict-volume-types.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,38 +9,43 @@ metadata:
policies.kyverno.io/subject: Pod,Volume
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: 1.10.0
policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/restricted/baseline/restrict-volume-types/"
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/description: >-
In addition to restricting HostPath volumes, the restricted pod security profile
limits usage of non-core volume types to those defined through PersistentVolumes.
This policy blocks any other type of volume other than those in the allow list.
This policy blocks any other type of volume other than those in the allow list.
spec:
validationFailureAction: Audit
validationFailureAction: audit
background: true
rules:
- name: restricted-volumes
match:
any:
- resources:
kinds:
- Pod
- resources:
kinds:
- Pod
preconditions:
all:
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
validate:
message: >-
Using volume types beyond those listed in the policy rule is disallowed.
Only the following types of volumes may be used: configMap, csi, downwardAPI,
emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.
deny:
conditions:
all:
- key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}"
operator: AnyNotIn
value:
- name
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
- ""
- key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}"
operator: AnyNotIn
value:
- name
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
- ''
Loading